Updating auth

crates/siren-api/src/app.rs

@@ -1,5 +1,5 @@
 use crate::{AppState, error::Result};
-use axum::Router;
+use axum::{Router, http::HeaderValue};
 use std::{env, sync::Arc};
 use tokio::net::TcpListener;
 use tower_http::{
@@ -19,17 +19,36 @@ impl App {
   pub async fn serve(self) -> Result<()> {
     log::debug!("Starting API...");
 
-    let cors = CorsLayer::new()
-      .allow_origin(Any)
-      .allow_methods(Any)
-      .allow_headers(Any);
+    // Build CORS layer.
+    //
+    // In production both the UI and API are served from the same origin so
+    // CORS is a non-issue.  In development, Vite proxies all /api/* calls so
+    // the browser also never makes cross-origin requests directly to this
+    // server.  We keep a permissive default for convenience, but restrict it
+    // when CORS_ORIGIN is explicitly set.
+    let cors = match env::var("CORS_ORIGIN") {
+      Ok(origin) if origin != "*" => {
+        let header_val = origin
+          .parse::<HeaderValue>()
+          .expect("CORS_ORIGIN is not a valid header value");
+        CorsLayer::new()
+          .allow_origin(header_val)
+          .allow_methods(Any)
+          .allow_headers(Any)
+          .allow_credentials(true)
+      }
+      _ => CorsLayer::new()
+        .allow_origin(Any)
+        .allow_methods(Any)
+        .allow_headers(Any),
+    };
 
-    // Serve the built React frontend from frontend/dist (relative to the
-    // working directory).  Falls back gracefully if the directory does not
-    // exist yet (e.g. during development when using `npm run dev`).
+    // Serve the built React frontend from ui/dist (relative to the working
+    // directory).  Falls back gracefully if the directory does not exist yet
+    // (e.g. during development when using `npm run dev`).
     let frontend_dir = env::current_dir()
       .unwrap_or_default()
-      .join("frontend")
+      .join("ui")
       .join("dist");
 
     // For SPA routing: any path not matched by a real file (e.g. /map/<id>)