Improved JWT security

src/backend/ssh/file-manager.ts

@@ -1,5 +1,6 @@
 import express from "express";
 import cors from "cors";
+import cookieParser from "cookie-parser";
 import { Client as SSHClient } from "ssh2";
 import { getDb } from "../database/db/index.js";
 import { sshCredentials } from "../database/db/schema.js";
@@ -49,7 +50,37 @@ const app = express();
 
 app.use(
   cors({
-    origin: "*",
+    origin: (origin, callback) => {
+      // Allow requests with no origin (like mobile apps or curl requests)
+      if (!origin) return callback(null, true);
+      
+      // Allow localhost and 127.0.0.1 for development
+      const allowedOrigins = [
+        "http://localhost:5173",
+        "http://localhost:3000", 
+        "http://127.0.0.1:5173",
+        "http://127.0.0.1:3000"
+      ];
+      
+      // Allow any HTTPS origin (production deployments)
+      if (origin.startsWith("https://")) {
+        return callback(null, true);
+      }
+      
+      // Allow any HTTP origin for self-hosted scenarios
+      if (origin.startsWith("http://")) {
+        return callback(null, true);
+      }
+      
+      // Check against allowed development origins
+      if (allowedOrigins.includes(origin)) {
+        return callback(null, true);
+      }
+      
+      // Reject other origins
+      callback(new Error("Not allowed by CORS"));
+    },
+    credentials: true,
     methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allowedHeaders: [
       "Content-Type",
@@ -59,6 +90,7 @@ app.use(
     ],
   }),
 );
+app.use(cookieParser());
 app.use(express.json({ limit: "1gb" }));
 app.use(express.urlencoded({ limit: "1gb", extended: true }));
 app.use(express.raw({ limit: "5gb", type: "application/octet-stream" }));