cors settings, endpoint adjustments so mobile can hit

server/index.js

@@ -37,8 +37,8 @@ class Server {
         /* Site */
         router.post('/free', this.newUserSubmission)
         router.get('/db/images/*', this.getUserImage)
-        router.get('/app/orgdata/*', this.getOrgData)
-        router.get('/app/mydata/*', this.getPersonalData)
+        router.get('/api/orgdata/*', this.getOrgData)
+        router.get('/api/mydata/*', this.getPersonalData)
         router.get('/*', this.get)
         return router
     }
@@ -225,7 +225,30 @@ class Server {
         this.auth = new AuthHandler()
         const app = express();
         app.post("/webhook", express.raw({ type: "application/json" }), PaymentsHandler.webhook)
-        app.use(cors({ origin: '*' }));
+        const allowedOrigins = new Set([
+            "https://www.parchment.page",
+            "https://parchment.page",
+            "http://localhost:5174",
+            "http://sam.local:5174",
+            "http://localhost:5173",
+            "http://sam.local:5173",
+            "http://localhost:10002",
+            "http://sam.local:10002",
+            "capacitor://localhost",
+            "http://localhost"
+        ]);
+        app.use(cors({
+            origin(origin, cb) {
+                if (!origin) return cb(null, true); // native / curl
+
+                if (allowedOrigins.has(origin)) {
+                return cb(null, true);
+                }
+
+                return cb(new Error("Blocked by CORS"));
+            },
+            credentials: true
+        }));
         app.use(express.json());
         app.use(express.urlencoded({ extended: true }));
         app.use(cookieParser());