From d0c11a3062fac880174b560e28d443d9828ac8f2 Mon Sep 17 00:00:00 2001 From: Wladimir Palant <374261+palant@users.noreply.github.com> Date: Tue, 19 Aug 2025 13:58:13 +0200 Subject: [PATCH 1/3] feat(decap-server): Allow the server to be run securely --- packages/decap-server/README.md | 4 ++++ packages/decap-server/src/index.ts | 16 ++++++++++++---- .../decap-server/src/middlewares/common/index.ts | 4 +++- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/packages/decap-server/README.md b/packages/decap-server/README.md index 9b66fa4459b4..b730ccb09b98 100644 --- a/packages/decap-server/README.md +++ b/packages/decap-server/README.md @@ -27,4 +27,8 @@ backend: GIT_REPO_DIRECTORY=FULL_PATH_TO_LOCAL_GIT_REPO # optional, defaults to 8081 PORT=CUSTOM_PORT +# optional, only listen for incoming connections on a specific IP address +BIND_HOST=127.0.0.1 +# optional, restrict API requests to a specific origin +ORIGIN=https://example.com ``` diff --git a/packages/decap-server/src/index.ts b/packages/decap-server/src/index.ts index 88afbff198bd..da4977914781 100644 --- a/packages/decap-server/src/index.ts +++ b/packages/decap-server/src/index.ts @@ -8,7 +8,8 @@ import { registerMiddleware as registerLocalFs } from './middlewares/localFs'; import { createLogger } from './logger'; const app = express(); -const port = process.env.PORT || 8081; +const port = parseInt(process.env.PORT || '8081', 10); +const host = process.env.BIND_HOST; const level = process.env.LOG_LEVEL || 'info'; (async () => { @@ -33,7 +34,14 @@ const level = process.env.LOG_LEVEL || 'info'; process.exit(1); } - return app.listen(port, () => { - logger.info(`Decap CMS Proxy Server listening on port ${port}`); - }); + if (host) { + return app.listen(port, host, () => { + logger.info(`Decap CMS Proxy Server listening on ${host}:${port}`); + }); + } + else { + return app.listen(port, () => { + logger.info(`Decap CMS Proxy Server listening on port ${port}`); + }); + } })(); diff --git a/packages/decap-server/src/middlewares/common/index.ts b/packages/decap-server/src/middlewares/common/index.ts index 18ec4c46749b..ffe4abf5f034 100644 --- a/packages/decap-server/src/middlewares/common/index.ts +++ b/packages/decap-server/src/middlewares/common/index.ts @@ -16,6 +16,8 @@ export function registerCommonMiddlewares(app: express.Express, options: Options }, }; app.use(morgan('combined', { stream })); - app.use(cors()); + app.use(cors({ + origin: process.env.ORIGIN || '*', + })); app.use(express.json({ limit: '50mb' })); } From 206058afa4554eab856d7d081c482c9512434759 Mon Sep 17 00:00:00 2001 From: Wladimir Palant <374261+palant@users.noreply.github.com> Date: Tue, 19 Aug 2025 14:58:49 +0200 Subject: [PATCH 2/3] Addressed nit --- packages/decap-server/src/index.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/decap-server/src/index.ts b/packages/decap-server/src/index.ts index da4977914781..813ccc2c720a 100644 --- a/packages/decap-server/src/index.ts +++ b/packages/decap-server/src/index.ts @@ -38,8 +38,7 @@ const level = process.env.LOG_LEVEL || 'info'; return app.listen(port, host, () => { logger.info(`Decap CMS Proxy Server listening on ${host}:${port}`); }); - } - else { + } else { return app.listen(port, () => { logger.info(`Decap CMS Proxy Server listening on port ${port}`); }); From d98b8e4a5306eea9b818ae58dbc753fe2c4a7f42 Mon Sep 17 00:00:00 2001 From: Wladimir Palant <374261+palant@users.noreply.github.com> Date: Tue, 19 Aug 2025 15:44:51 +0200 Subject: [PATCH 3/3] Updated formatting --- packages/decap-server/src/middlewares/common/index.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/decap-server/src/middlewares/common/index.ts b/packages/decap-server/src/middlewares/common/index.ts index ffe4abf5f034..a43ccbfc8ed5 100644 --- a/packages/decap-server/src/middlewares/common/index.ts +++ b/packages/decap-server/src/middlewares/common/index.ts @@ -16,8 +16,10 @@ export function registerCommonMiddlewares(app: express.Express, options: Options }, }; app.use(morgan('combined', { stream })); - app.use(cors({ - origin: process.env.ORIGIN || '*', - })); + app.use( + cors({ + origin: process.env.ORIGIN || '*', + }), + ); app.use(express.json({ limit: '50mb' })); }