From bddcd484c17933093e8a66ad41c010392228457e Mon Sep 17 00:00:00 2001
From: LewisB <lewis@gooddollar.org>
Date: Tue, 6 Jan 2026 11:47:24 +0700
Subject: [PATCH] allow any origin to call topWallet

---
 src/server/server-middlewares.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/server/server-middlewares.js b/src/server/server-middlewares.js
index f2a662d1..a481e51c 100644
--- a/src/server/server-middlewares.js
+++ b/src/server/server-middlewares.js
@@ -44,6 +44,17 @@ export default async (app: Router) => {
         ? /(\.?goodd(ollar|app)\.org$)|localhost|localhost:3000|good-wallet-v2\.vercel\.app|goodwallet\.xyz/
         : true
   }
+  const openCorsConfig = {
+    origin: true,
+    credentials: false
+  }
+  const openCorsPaths = new Set(['/verify/topwallet'])
+  const corsDelegate = (req, callback) => {
+    if (openCorsPaths.has(req.path)) {
+      return callback(null, openCorsConfig)
+    }
+    return callback(null, corsConfig)
+  }
 
   if (env === 'production') {
     app.set('trust proxy', 1) //this is required for heroku to pass ips correctly to rate limiter
@@ -63,7 +74,7 @@ export default async (app: Router) => {
   app.use(bodyParser.json({ limit: '100mb' }))
   // parse UTM cookies
   app.use(cookieParser())
-  app.use(cors(corsConfig))
+  app.use(cors(corsDelegate))
   app.use(addRequestLogger)
   addLoginMiddlewares(app)
   addStorageMiddlewares(app, UserDBPrivate)