fix(security): remove localhost CORS origin, consolidate CORS in proxy

Move all /api/* CORS handling from next.config.ts to proxy.ts so the
runtime can resolve allowed origin per-request instead of baking it at
build time (which produced "Access-Control-Allow-Origin: http://localhost:3000"
with credentials:true in production).

- proxy.ts: per-route CORS policy table covering auth, MCP, form, and
  workflow execute endpoints; OPTIONS preflight short-circuit; Vary:
  Origin when origin is not '*'; form routes defer to route handler's
  addCorsHeaders to avoid double-setting
- next.config.ts: drop all /api/* Access-Control-Allow-* headers; keep
  COEP/COOP/CSP
- deployment.ts: addCorsHeaders sets Vary: Origin alongside reflected
  Allow-Origin
- Dockerfile: drop NEXT_PUBLIC_APP_URL build placeholder (Zod has
  skipValidation:true; build path doesn't read it)
- Remove 8 dead OPTIONS handlers and their preflight tests now that the
  proxy handles preflight uniformly

Author: waleedlatif1

apps/sim/app/api/files/delete/route.test.ts

@@ -91,7 +91,7 @@ vi.mock('fs/promises', () => ({
 }))
 
 import { createMockRequest } from '@sim/testing'
-import { OPTIONS, POST } from '@/app/api/files/delete/route'
+import { POST } from '@/app/api/files/delete/route'
 
 describe('File Delete API Route', () => {
   beforeEach(() => {
@@ -198,12 +198,4 @@ describe('File Delete API Route', () => {
     expect(data).toHaveProperty('error', 'InvalidRequestError')
     expect(data).toHaveProperty('message', 'No file path provided')
   })
-
-  it('should handle CORS preflight requests', async () => {
-    const response = await OPTIONS()
-
-    expect(response.status).toBe(204)
-    expect(response.headers.get('Access-Control-Allow-Methods')).toBe('GET, POST, DELETE, OPTIONS')
-    expect(response.headers.get('Access-Control-Allow-Headers')).toBe('Content-Type')
-  })
 })

apps/sim/app/api/files/delete/route.ts

@@ -12,7 +12,6 @@ import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file
 import { verifyFileAccess } from '@/app/api/files/authorization'
 import {
   createErrorResponse,
-  createOptionsResponse,
   createSuccessResponse,
   extractFilename,
   FileNotFoundError,
@@ -119,10 +118,3 @@ function extractStorageKeyFromPath(filePath: string): string {
 
   return extractFilename(filePath)
 }
-
-/**
- * Handle CORS preflight requests
- */
-export const OPTIONS = withRouteHandler(async () => {
-  return createOptionsResponse()
-})

apps/sim/app/api/files/presigned/batch/route.ts

@@ -156,17 +156,3 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     )
   }
 })
-
-export const OPTIONS = withRouteHandler(async () => {
-  return NextResponse.json(
-    {},
-    {
-      status: 200,
-      headers: {
-        'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Methods': 'POST, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      },
-    }
-  )
-})

apps/sim/app/api/files/presigned/route.test.ts

@@ -107,7 +107,7 @@ vi.mock('@/lib/uploads', () => ({
   isUsingCloudStorage: mockIsUsingCloudStorageUploads,
 }))
 
-import { OPTIONS, POST } from '@/app/api/files/presigned/route'
+import { POST } from '@/app/api/files/presigned/route'
 
 const defaultMockUser = {
   id: 'test-user-id',
@@ -827,16 +827,4 @@ describe('/api/files/presigned', () => {
       expect(mockValidateAttachmentFileType).not.toHaveBeenCalled()
     })
   })
-
-  describe('OPTIONS', () => {
-    it('should handle CORS preflight requests', async () => {
-      const response = await OPTIONS()
-
-      expect(response.status).toBe(200)
-      expect(response.headers.get('Access-Control-Allow-Methods')).toBe('POST, OPTIONS')
-      expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
-        'Content-Type, Authorization'
-      )
-    })
-  })
 })

apps/sim/app/api/files/presigned/route.ts

@@ -310,17 +310,3 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     )
   }
 })
-
-export const OPTIONS = withRouteHandler(async () => {
-  return NextResponse.json(
-    {},
-    {
-      status: 200,
-      headers: {
-        'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Methods': 'POST, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      },
-    }
-  )
-})

apps/sim/app/api/files/upload/route.test.ts

@@ -95,7 +95,7 @@ vi.mock('@/lib/uploads/setup.server', () => ({
 }))
 
 import { uploadWorkspaceFile } from '@/lib/uploads/contexts/workspace'
-import { OPTIONS, POST } from '@/app/api/files/upload/route'
+import { POST } from '@/app/api/files/upload/route'
 
 /**
  * Configure mocks for authenticated file upload tests
@@ -307,14 +307,6 @@ describe('File Upload API Route', () => {
     expect(data).toHaveProperty('error')
     expect(typeof data.error).toBe('string')
   })
-
-  it('should handle CORS preflight requests', async () => {
-    const response = await OPTIONS()
-
-    expect(response.status).toBe(204)
-    expect(response.headers.get('Access-Control-Allow-Methods')).toBe('GET, POST, DELETE, OPTIONS')
-    expect(response.headers.get('Access-Control-Allow-Headers')).toBe('Content-Type')
-  })
 })
 
 describe('File Upload Security Tests', () => {

apps/sim/app/api/files/upload/route.ts

@@ -21,11 +21,7 @@ import {
   validateFileType,
 } from '@/lib/uploads/utils/validation'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
-import {
-  createErrorResponse,
-  createOptionsResponse,
-  InvalidRequestError,
-} from '@/app/api/files/utils'
+import { createErrorResponse, InvalidRequestError } from '@/app/api/files/utils'
 
 const ALLOWED_EXTENSIONS = new Set<string>(SUPPORTED_ATTACHMENT_EXTENSIONS)
 
@@ -430,7 +426,3 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     return createErrorResponse(error instanceof Error ? error : new Error('File upload failed'))
   }
 })
-
-export const OPTIONS = withRouteHandler(async () => {
-  return createOptionsResponse()
-})

apps/sim/app/api/files/utils.ts

@@ -238,13 +238,3 @@ export function createErrorResponse(error: Error, status = 500): NextResponse {
 export function createSuccessResponse(data: ApiSuccessResponse): NextResponse {
   return NextResponse.json(data)
 }
-
-export function createOptionsResponse(): NextResponse {
-  return new NextResponse(null, {
-    status: 204,
-    headers: {
-      'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type',
-    },
-  })
-}

apps/sim/app/api/form/[identifier]/route.ts

@@ -401,7 +401,3 @@ export const GET = withRouteHandler(
     }
   }
 )
-
-export const OPTIONS = withRouteHandler(async (request: NextRequest) => {
-  return addCorsHeaders(new NextResponse(null, { status: 204 }), request)
-})

apps/sim/app/api/mcp/copilot/route.ts

@@ -386,19 +386,6 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
   }
 })
 
-export const OPTIONS = withRouteHandler(async () => {
-  return new NextResponse(null, {
-    status: 204,
-    headers: {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS, DELETE',
-      'Access-Control-Allow-Headers':
-        'Content-Type, Authorization, X-API-Key, X-Requested-With, Accept',
-      'Access-Control-Max-Age': '86400',
-    },
-  })
-})
-
 export const DELETE = withRouteHandler(async (request: NextRequest) => {
   void request
   return NextResponse.json(createError(0, -32000, 'Method not allowed.'), { status: 405 })