Code cleanup and mild CORS tweaks

RobFaustLZ · RobFaustLZ · commit 107a6acec827 · 2025-05-18T17:58:26.000-05:00
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "labelzoom-cf-api-proxy",
-  "version": "1.0.14",
+  "version": "1.0.15",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
diff --git a/src/cors.ts b/src/cors.ts
@@ -1,9 +1,19 @@
+/* CORS-safelisted response headers:
+ * - Cache-Control
+ * - Content-Language
+ * - Content-Length
+ * - Content-Type
+ * - Expires
+ * - Last-Modified
+ * - Pragma
+ */
+
 const corsHeaders = {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET,HEAD,POST,PUT,DELETE,OPTIONS",
     "Access-Control-Max-Age": "86400",
     "Access-Control-Allow-Credentials": "true",
-    "Access-Control-Expose-Headers": "X-LZ-Request-ID",
+    "Access-Control-Expose-Headers": "Retry-After, X-LZ-Request-ID",
 };
 
 /**
@@ -19,15 +29,15 @@ export async function handleOptions(request: Request, env: Env): Promise<Respons
     }
 
     if (
-        request.headers.get("Origin") !== null &&
+        origin !== '' &&
         request.headers.get("Access-Control-Request-Method") !== null &&
         request.headers.get("Access-Control-Request-Headers") !== null
     ) {
         // Handle CORS preflight requests.
         return new Response(null, {
             headers: {
                 ...corsHeaders,
-                "Access-Control-Allow-Origin": request.headers.get("Origin") ?? '',
+                "Access-Control-Allow-Origin": origin,
                 "Access-Control-Allow-Headers": request.headers.get("Access-Control-Request-Headers") ?? '',
             },
         });
diff --git a/src/index.ts b/src/index.ts
@@ -82,11 +82,7 @@ async function handleConversionLog(request: Request<unknown, IncomingRequestCfPr
 async function proxyRequestToBackend(request: Request, url: URL, env: Env, requestID = ''): Promise<Response> {
     const backendUrl = env.LZ_PROD_API_BASE_URL + url.pathname + url.search;
     const newRequest = new Request(backendUrl, request);
-    let ip = request.headers.get("X-Forwarded-For") ?? '';
-    if (!ip) {
-        ip = request.headers.get("Cf-Connecting-Ip") ?? '';
-    }
-    newRequest.headers.set('X-LZ-IP', ip);
+    newRequest.headers.set('X-LZ-IP', request.headers.get("Cf-Connecting-Ip") ?? request.headers.get("X-Forwarded-For") ?? '');
     newRequest.headers.set('X-LZ-Secret-Key', env.LZ_PROD_API_SECRET_KEY)
     if (requestID) newRequest.headers.set("X-LZ-Request-ID", requestID);
     const response = await fetch(newRequest);

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "labelzoom-cf-api-proxy",`
`3`		`- "version": "1.0.14",`
	`3`	`+ "version": "1.0.15",`
`4`	`4`	`"private": true,`
`5`	`5`	`"scripts": {`
`6`	`6`	`"deploy": "wrangler deploy",`