98tools · abdulkarim1422 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/.env.example b/.env.example
@@ -2,3 +2,5 @@ VITE_NODE_ENV=demo
 
 # FE-main host URL used by federation to load feMain/api
 VITE_FE_MAIN_MF=http://localhost:5173
+
+VITE_ALLOWED_ORIGINS=https://localhost:5173,https://127.0.0.1:5173,https://98tools.com,https://*.98tools.com
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
@@ -1,4 +1,4 @@
-name: (main) [fe+mf] Deploy to Cloudflare Workers
+name: (dev) [fe+mf] Deploy to Cloudflare Workers
 
 on:
   push:
@@ -30,6 +30,7 @@ jobs:
         env:
           VITE_FE_MAIN_MF: ${{ vars.VITE_FE_MAIN_MF }}
           VITE_NODE_ENV: ${{ vars.VITE_NODE_ENV }}
+          VITE_ALLOWED_ORIGINS: ${{ vars.VITE_ALLOWED_ORIGINS }}
         run: npm run build
 
       - name: Deploy worker

diff --git a/public/_headers b/public/_headers
diff --git a/vite.config.ts b/vite.config.ts
@@ -31,5 +31,57 @@ export default defineConfig(({ mode }) => {
       emptyOutDir: false,
       target: 'esnext',
     },
+    server: getServerConfig(env),
   };
 })
+
+function isOriginAllowed(origin: string, allowedOrigins: string[]): boolean {
+  return allowedOrigins.some(allowedOrigin => {
+    if (allowedOrigin.includes('*')) {
+      // Convert wildcard pattern to regex
+      // e.g., 'https://*.98.tools' -> /^https:\/\/.*\.98\.tools$/
+      const pattern = allowedOrigin
+        .replace(/\./g, '\\.')
+        .replace(/\*/g, '[a-zA-Z0-9-]*');
+      const regex = new RegExp(`^${pattern}$`);
+      return regex.test(origin);
+    } else {
+      // Exact match
+      return origin === allowedOrigin;
+    }
+  });
+}
+
+function getServerConfig(env: Record<string, string>): import('vite').ServerOptions | undefined {
+  // Parse allowed origins from environment variable
+  const allowedOriginsStr = env.VITE_ALLOWED_ORIGINS || '';
+  const allowedOrigins = allowedOriginsStr
+    .split(',')
+    .map(origin => origin.trim())
+    .filter(origin => origin.length > 0);
+
+  const serverConfig: import('vite').ServerOptions = {
+    host: true,
+    port: 5173,
+    middleware: [(req, res, next) => {
+      const origin = req.headers.origin || '';
+
+      // Check if origin is allowed
+      if (allowedOrigins.length > 0 && isOriginAllowed(origin, allowedOrigins)) {
+        res.setHeader('Access-Control-Allow-Origin', origin);
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+        res.setHeader('Access-Control-Allow-Credentials', 'true');
+      }
+
+      if (req.method === 'OPTIONS') {
+        res.writeHead(200);
+        res.end();
+      } else {
+        next();
+      }
+    }],
+  };
+
+  return serverConfig;
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,3 +2,5 @@ VITE_NODE_ENV=demo

		# FE-main host URL used by federation to load feMain/api
		VITE_FE_MAIN_MF=http://localhost:5173

		VITE_ALLOWED_ORIGINS=https://localhost:5173,https://127.0.0.1:5173,https://98tools.com,https://*.98tools.com