fix(security): remove localhost CORS origin, consolidate CORS in proxy (#4658)

* fix(security): remove localhost CORS origin, consolidate CORS in proxy

Move all /api/* CORS handling from next.config.ts to proxy.ts so the
runtime can resolve allowed origin per-request instead of baking it at
build time (which produced "Access-Control-Allow-Origin: http://localhost:3000"
with credentials:true in production).

- proxy.ts: per-route CORS policy table covering auth, MCP, form, and
  workflow execute endpoints; OPTIONS preflight short-circuit; Vary:
  Origin when origin is not '*'; form routes defer to route handler's
  addCorsHeaders to avoid double-setting
- next.config.ts: drop all /api/* Access-Control-Allow-* headers; keep
  COEP/COOP/CSP
- deployment.ts: addCorsHeaders sets Vary: Origin alongside reflected
  Allow-Origin
- Dockerfile: drop NEXT_PUBLIC_APP_URL build placeholder (Zod has
  skipValidation:true; build path doesn't read it)
- Remove 8 dead OPTIONS handlers and their preflight tests now that the
  proxy handles preflight uniformly

* refactor(cors): consolidate API CORS into proxy as single source of truth

Move CORS for /api/chat/* and /api/form/* into the proxy policy table with
reflected-origin + credentials:false, and delete the per-route addCorsHeaders
helper. Routes no longer set CORS headers — the proxy is the only writer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor(cors): convert proxy CORS policy chain to a rule table + add tests

Replace the if/else chain in resolveApiCorsPolicy with a CORS_RULES table
so each route's policy lives in one place and is trivially scannable.
Add proxy.test.ts covering each rule and the wildcard-with-credentials
invariant.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(cors): scope embed CORS rule to /api/{chat,form}/[identifier] only

The embed policy (reflected origin, credentials:false) was matching
workspace-internal session-authed routes — /api/chat, /api/chat/manage/*,
/api/chat/validate, and the form equivalents — which need the default
credentialed policy. Tighten the matcher to the embed paths only and add
tests covering the exclusion.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor(cors): replace embed-path regex with explicit segment check

The regex form `^/api/(chat|form)/(?!manage|validate)[^/]+(/(otp|sso))?$`
was opaque on review and would silently exclude any future identifier
subroute outside the hard-coded (otp|sso) group from the embed policy.
Replace it with an imperative segment check and a named
EMBED_RESERVED_SEGMENTS Set, so the policy boundary is visible at the
top of the function and adding a reserved subpath is a one-line diff.
Add a test asserting that future identifier subroutes also get the
embed policy.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(cors): allow PUT in embed CORS policy for OTP verification

Both /api/chat/[identifier]/otp and /api/form/[identifier]/otp export
PUT for OTP code verification. The embed policy advertised only
GET/POST/OPTIONS, so cross-origin embed clients failed preflight on
verify. Add PUT and assert it in the embed policy test.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/chat/[identifier]/otp/route.test.ts

@@ -26,7 +26,6 @@ const {
   mockDbUpdate,
   mockSendEmail,
   mockRenderOTPEmail,
-  mockAddCorsHeaders,
   mockSetChatAuthCookie,
   mockGetStorageMethod,
   mockZodParse,
@@ -50,7 +49,6 @@ const {
   const mockDbUpdate = vi.fn()
   const mockSendEmail = vi.fn()
   const mockRenderOTPEmail = vi.fn()
-  const mockAddCorsHeaders = vi.fn()
   const mockSetChatAuthCookie = vi.fn()
   const mockGetStorageMethod = vi.fn()
   const mockZodParse = vi.fn()
@@ -69,7 +67,6 @@ const {
     mockDbUpdate,
     mockSendEmail,
     mockRenderOTPEmail,
-    mockAddCorsHeaders,
     mockSetChatAuthCookie,
     mockGetStorageMethod,
     mockZodParse,
@@ -131,7 +128,6 @@ vi.mock('@/components/emails', () => ({
 }))
 
 vi.mock('@/lib/core/security/deployment', () => ({
-  addCorsHeaders: mockAddCorsHeaders,
   isEmailAllowed: (email: string, allowedEmails: string[]) => {
     if (allowedEmails.includes(email)) return true
     const atIndex = email.indexOf('@')
@@ -248,7 +244,6 @@ describe('Chat OTP API Route', () => {
     mockSendEmail.mockResolvedValue({ success: true })
     mockRenderOTPEmail.mockResolvedValue('<html>OTP Email</html>')
 
-    mockAddCorsHeaders.mockImplementation((response: unknown) => response)
     mockCreateSuccessResponse.mockImplementation((data: unknown) => ({
       json: () => Promise.resolve(data),
       status: 200,

apps/sim/app/api/chat/[identifier]/otp/route.ts

@@ -7,7 +7,7 @@ import { renderOTPEmail } from '@/components/emails'
 import { requestChatEmailOtpContract, verifyChatEmailOtpContract } from '@/lib/api/contracts/chats'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { RateLimiter } from '@/lib/core/rate-limiter'
-import { addCorsHeaders, isEmailAllowed } from '@/lib/core/security/deployment'
+import { isEmailAllowed } from '@/lib/core/security/deployment'
 import {
   decodeOTPValue,
   deleteOTP,
@@ -47,15 +47,12 @@ export const POST = withRouteHandler(
         )
         const response = createErrorResponse('Too many requests. Please try again later.', 429)
         response.headers.set('Retry-After', String(retryAfter))
-        return addCorsHeaders(response, request)
+        return response
       }
 
       const parsed = await parseRequest(requestChatEmailOtpContract, request, context, {
         validationErrorResponse: (error) =>
-          addCorsHeaders(
-            createErrorResponse(getValidationErrorMessage(error, 'Invalid request'), 400),
-            request
-          ),
+          createErrorResponse(getValidationErrorMessage(error, 'Invalid request'), 400),
       })
       if (!parsed.success) return parsed.response
       const { email } = parsed.data.body
@@ -75,27 +72,21 @@ export const POST = withRouteHandler(
 
       if (deploymentResult.length === 0) {
         logger.warn(`[${requestId}] Chat not found for identifier: ${identifier}`)
-        return addCorsHeaders(createErrorResponse('Chat not found', 404), request)
+        return createErrorResponse('Chat not found', 404)
       }
 
       const deployment = deploymentResult[0]
 
       if (deployment.authType !== 'email') {
-        return addCorsHeaders(
-          createErrorResponse('This chat does not use email authentication', 400),
-          request
-        )
+        return createErrorResponse('This chat does not use email authentication', 400)
       }
 
       const allowedEmails: string[] = Array.isArray(deployment.allowedEmails)
         ? deployment.allowedEmails
         : []
 
       if (!isEmailAllowed(email, allowedEmails)) {
-        return addCorsHeaders(
-          createErrorResponse('Email not authorized for this chat', 403),
-          request
-        )
+        return createErrorResponse('Email not authorized for this chat', 403)
       }
 
       const emailRateLimit = await rateLimiter.checkRateLimitDirect(
@@ -114,7 +105,7 @@ export const POST = withRouteHandler(
           429
         )
         response.headers.set('Retry-After', String(retryAfter))
-        return addCorsHeaders(response, request)
+        return response
       }
 
       const otp = generateOTP()
@@ -135,17 +126,14 @@ export const POST = withRouteHandler(
 
       if (!emailResult.success) {
         logger.error(`[${requestId}] Failed to send OTP email:`, emailResult.message)
-        return addCorsHeaders(
-          createErrorResponse('Failed to send verification email', 500),
-          request
-        )
+        return createErrorResponse('Failed to send verification email', 500)
       }
 
       logger.info(`[${requestId}] OTP sent to ${email} for chat ${deployment.id}`)
-      return addCorsHeaders(createSuccessResponse({ message: 'Verification code sent' }), request)
+      return createSuccessResponse({ message: 'Verification code sent' })
     } catch (error) {
       logger.error(`[${requestId}] Error processing OTP request:`, error)
-      return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)
+      return createErrorResponse('Failed to process request', 500)
     }
   }
 )
@@ -158,10 +146,7 @@ export const PUT = withRouteHandler(
     try {
       const parsed = await parseRequest(verifyChatEmailOtpContract, request, context, {
         validationErrorResponse: (error) =>
-          addCorsHeaders(
-            createErrorResponse(getValidationErrorMessage(error, 'Invalid request'), 400),
-            request
-          ),
+          createErrorResponse(getValidationErrorMessage(error, 'Invalid request'), 400),
       })
       if (!parsed.success) return parsed.response
       const { email, otp } = parsed.data.body
@@ -184,61 +169,49 @@ export const PUT = withRouteHandler(
 
       if (deploymentResult.length === 0) {
         logger.warn(`[${requestId}] Chat not found for identifier: ${identifier}`)
-        return addCorsHeaders(createErrorResponse('Chat not found', 404), request)
+        return createErrorResponse('Chat not found', 404)
       }
 
       const deployment = deploymentResult[0]
 
       const storedValue = await getOTP('chat', deployment.id, email)
       if (!storedValue) {
-        return addCorsHeaders(
-          createErrorResponse('No verification code found, request a new one', 400),
-          request
-        )
+        return createErrorResponse('No verification code found, request a new one', 400)
       }
 
       const { otp: storedOTP, attempts } = decodeOTPValue(storedValue)
 
       if (attempts >= MAX_OTP_ATTEMPTS) {
         await deleteOTP('chat', deployment.id, email)
         logger.warn(`[${requestId}] OTP already locked out for ${email}`)
-        return addCorsHeaders(
-          createErrorResponse('Too many failed attempts. Please request a new code.', 429),
-          request
-        )
+        return createErrorResponse('Too many failed attempts. Please request a new code.', 429)
       }
 
       if (storedOTP !== otp) {
         const result = await incrementOTPAttempts('chat', deployment.id, email, storedValue)
         if (result === 'locked') {
           logger.warn(`[${requestId}] OTP invalidated after max failed attempts for ${email}`)
-          return addCorsHeaders(
-            createErrorResponse('Too many failed attempts. Please request a new code.', 429),
-            request
-          )
+          return createErrorResponse('Too many failed attempts. Please request a new code.', 429)
         }
-        return addCorsHeaders(createErrorResponse('Invalid verification code', 400), request)
+        return createErrorResponse('Invalid verification code', 400)
       }
 
       await deleteOTP('chat', deployment.id, email)
 
-      const response = addCorsHeaders(
-        createSuccessResponse({
-          id: deployment.id,
-          title: deployment.title,
-          description: deployment.description,
-          customizations: deployment.customizations,
-          authType: deployment.authType,
-          outputConfigs: deployment.outputConfigs,
-        }),
-        request
-      )
+      const response = createSuccessResponse({
+        id: deployment.id,
+        title: deployment.title,
+        description: deployment.description,
+        customizations: deployment.customizations,
+        authType: deployment.authType,
+        outputConfigs: deployment.outputConfigs,
+      })
       setChatAuthCookie(response, deployment.id, deployment.authType, deployment.password)
 
       return response
     } catch (error) {
       logger.error(`[${requestId}] Error verifying OTP:`, error)
-      return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)
+      return createErrorResponse('Failed to process request', 500)
     }
   }
 )

apps/sim/app/api/chat/[identifier]/route.test.ts

@@ -63,13 +63,11 @@ const createMockStream = () => {
   })
 }
 
-const { mockAddCorsHeaders, mockValidateChatAuth, mockSetChatAuthCookie, mockValidateAuthToken } =
-  vi.hoisted(() => ({
-    mockAddCorsHeaders: vi.fn().mockImplementation((response: Response) => response),
-    mockValidateChatAuth: vi.fn().mockResolvedValue({ authorized: true }),
-    mockSetChatAuthCookie: vi.fn(),
-    mockValidateAuthToken: vi.fn().mockReturnValue(false),
-  }))
+const { mockValidateChatAuth, mockSetChatAuthCookie, mockValidateAuthToken } = vi.hoisted(() => ({
+  mockValidateChatAuth: vi.fn().mockResolvedValue({ authorized: true }),
+  mockSetChatAuthCookie: vi.fn(),
+  mockValidateAuthToken: vi.fn().mockReturnValue(false),
+}))
 
 const mockCreateErrorResponse = workflowsApiUtilsMockFns.mockCreateErrorResponse
 const mockCreateSuccessResponse = workflowsApiUtilsMockFns.mockCreateSuccessResponse
@@ -81,7 +79,6 @@ vi.mock('@sim/db', () => ({
 }))
 
 vi.mock('@/lib/core/security/deployment', () => ({
-  addCorsHeaders: mockAddCorsHeaders,
   validateAuthToken: mockValidateAuthToken,
   setDeploymentAuthCookie: vi.fn(),
   isEmailAllowed: vi.fn().mockReturnValue(false),
@@ -181,7 +178,6 @@ describe('Chat Identifier API Route', () => {
       },
     })
 
-    mockAddCorsHeaders.mockImplementation((response: Response) => response)
     mockValidateChatAuth.mockResolvedValue({ authorized: true })
     mockValidateAuthToken.mockReturnValue(false)
     mockCreateErrorResponse.mockImplementation((message: string, status: number, code?: string) => {