Centralize CORS configuration

Consolidate CORS handling by introducing a shared supabase/functions/_shared/cors.ts and migrate edge functions to import from it. Remove inline cors.ts usage across functions, standardize headers (including traceparent and x-request-id), and prepare for environment-aware origins.
2025-12-20 11:51:14 -05:00 · 2025-11-10 21:28:46 +00:00
parent 7cbd09b2ad
commit bf3da6414a
44 changed files with 160 additions and 253 deletions
--- a/supabase/functions/_shared/cors.ts
+++ b/supabase/functions/_shared/cors.ts
@@ -0,0 +1,119 @@
+/**
+ * Centralized CORS configuration for all edge functions
+ * Provides consistent header handling across the application
+ */
+
+// Standard headers that should be allowed across all functions
+const STANDARD_HEADERS = [
+  'authorization',
+  'x-client-info', 
+  'apikey',
+  'content-type',
+];
+
+// Tracing headers for distributed tracing and request tracking
+const TRACING_HEADERS = [
+  'traceparent',
+  'x-request-id',
+];
+
+// All headers combined
+const ALL_HEADERS = [...STANDARD_HEADERS, ...TRACING_HEADERS];
+
+/**
+ * Basic CORS headers - allows all origins
+ * Use for most edge functions that need public access
+ */
+export const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': STANDARD_HEADERS.join(', '),
+};
+
+/**
+ * Extended CORS headers - includes tracing headers
+ * Use for functions that participate in distributed tracing
+ */
+export const corsHeadersWithTracing = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': ALL_HEADERS.join(', '),
+};
+
+/**
+ * CORS headers with methods - for functions with multiple HTTP verbs
+ */
+export const corsHeadersWithMethods = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': ALL_HEADERS.join(', '),
+  'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
+};
+
+/**
+ * CORS headers with credentials - for authenticated requests requiring cookies
+ */
+export const corsHeadersWithCredentials = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': ALL_HEADERS.join(', '),
+  'Access-Control-Allow-Credentials': 'true',
+};
+
+/**
+ * Environment-aware CORS configuration
+ * Validates origin against allowlist (production) or localhost (development)
+ */
+export const getAllowedOrigin = (requestOrigin: string | null): string | null => {
+  // If no origin header, it's not a CORS request (same-origin or server-to-server)
+  if (!requestOrigin) {
+    return null;
+  }
+
+  const environment = Deno.env.get('ENVIRONMENT') || 'development';
+  
+  // Production allowlist - configure via ALLOWED_ORIGINS environment variable
+  const allowedOriginsEnv = Deno.env.get('ALLOWED_ORIGINS') || '';
+  const allowedOrigins = allowedOriginsEnv.split(',').filter(origin => origin.trim());
+  
+  // In development, only allow localhost and Replit domains
+  if (environment === 'development') {
+    if (
+      requestOrigin.includes('localhost') ||
+      requestOrigin.includes('127.0.0.1') ||
+      requestOrigin.includes('.repl.co') ||
+      requestOrigin.includes('.replit.dev')
+    ) {
+      return requestOrigin;
+    }
+    return null;
+  }
+  
+  // In production, only allow specific domains from environment variable
+  if (allowedOrigins.includes(requestOrigin)) {
+    return requestOrigin;
+  }
+  
+  return null;
+};
+
+/**
+ * Get CORS headers with validated origin
+ * Use for functions requiring strict origin validation (e.g., upload-image)
+ */
+export const getCorsHeaders = (allowedOrigin: string | null): Record<string, string> => {
+  if (!allowedOrigin) {
+    return {};
+  }
+  
+  return {
+    'Access-Control-Allow-Origin': allowedOrigin,
+    'Access-Control-Allow-Headers': ALL_HEADERS.join(', '),
+    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
+    'Access-Control-Allow-Credentials': 'true',
+  };
+};
+
+/**
+ * Handle OPTIONS preflight request
+ * Returns a Response with appropriate CORS headers
+ */
+export const handleCorsPreFlight = (corsHeaders: Record<string, string>): Response => {
+  return new Response(null, { headers: corsHeaders });
+};
--- a/supabase/functions/admin-delete-user/index.ts
+++ b/supabase/functions/admin-delete-user/index.ts
@@ -1,12 +1,8 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface DeleteUserRequest {
  targetUserId: string;
 }
--- a/supabase/functions/cancel-account-deletion/index.ts
+++ b/supabase/functions/cancel-account-deletion/index.ts
@@ -1,13 +1,9 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 serve(async (req) => {
  const tracking = startRequest();
  
--- a/supabase/functions/cancel-email-change/index.ts
+++ b/supabase/functions/cancel-email-change/index.ts
@@ -1,12 +1,8 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 Deno.serve(async (req) => {
  const tracking = startRequest();
  
--- a/supabase/functions/check-transaction-status/index.ts
+++ b/supabase/functions/check-transaction-status/index.ts
@@ -8,13 +8,9 @@
 */

 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface StatusRequest {
  idempotencyKey: string;
 }
--- a/supabase/functions/cleanup-old-versions/index.ts
+++ b/supabase/functions/cleanup-old-versions/index.ts
@@ -1,12 +1,8 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface CleanupStats {
  item_edit_history_deleted: number;
  orphaned_records_deleted: number;
--- a/supabase/functions/confirm-account-deletion/index.ts
+++ b/supabase/functions/confirm-account-deletion/index.ts
@@ -1,12 +1,8 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 serve(async (req) => {
  const tracking = startRequest();
  
--- a/supabase/functions/create-novu-subscriber/index.ts
+++ b/supabase/functions/create-novu-subscriber/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 // Simple request tracking
 const startRequest = () => ({ requestId: crypto.randomUUID(), start: Date.now() });
 const endRequest = (tracking: { start: number }) => Date.now() - tracking.start;
--- a/supabase/functions/detect-location/index.ts
+++ b/supabase/functions/detect-location/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 interface IPLocationResponse {
  country: string;
  countryCode: string;
--- a/supabase/functions/export-user-data/index.ts
+++ b/supabase/functions/export-user-data/index.ts
@@ -1,14 +1,10 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { sanitizeError } from '../_shared/errorSanitizer.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface ExportOptions {
  include_reviews: boolean;
  include_lists: boolean;
--- a/supabase/functions/manage-moderator-topic/index.ts
+++ b/supabase/functions/manage-moderator-topic/index.ts
@@ -1,14 +1,10 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";
 import { withEdgeRetry } from '../_shared/retryHelper.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 const TOPICS = {
  MODERATION_SUBMISSIONS: 'moderation-submissions',
  MODERATION_REPORTS: 'moderation-reports',
--- a/supabase/functions/merge-contact-tickets/index.ts
+++ b/supabase/functions/merge-contact-tickets/index.ts
@@ -1,13 +1,9 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { createErrorResponse, sanitizeError } from '../_shared/errorSanitizer.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface MergeTicketsRequest {
  primaryTicketId: string;
  mergeTicketIds: string[];
--- a/supabase/functions/mfa-unenroll/index.ts
+++ b/supabase/functions/mfa-unenroll/index.ts
@@ -1,12 +1,8 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 Deno.serve(async (req) => {
  const tracking = startRequest();
  
--- a/supabase/functions/migrate-novu-users/index.ts
+++ b/supabase/functions/migrate-novu-users/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 serve(async (req) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders });
--- a/supabase/functions/notify-moderators-report/index.ts
+++ b/supabase/functions/notify-moderators-report/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";
 import { withEdgeRetry } from '../_shared/retryHelper.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 interface NotificationPayload {
  reportId: string;
  reportType: string;
--- a/supabase/functions/notify-moderators-submission/index.ts
+++ b/supabase/functions/notify-moderators-submission/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { withEdgeRetry } from '../_shared/retryHelper.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface NotificationPayload {
  submission_id: string;
  submission_type: string;
--- a/supabase/functions/notify-system-announcement/index.ts
+++ b/supabase/functions/notify-system-announcement/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 interface AnnouncementPayload {
  title: string;
  message: string;
--- a/supabase/functions/notify-user-submission-status/index.ts
+++ b/supabase/functions/notify-user-submission-status/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 interface RequestBody {
  submission_id: string;
  user_id: string;
--- a/supabase/functions/novu-webhook/index.ts
+++ b/supabase/functions/novu-webhook/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 // Simple request tracking
 const startRequest = () => ({ requestId: crypto.randomUUID(), start: Date.now() });
 const endRequest = (tracking: { start: number }) => Date.now() - tracking.start;
--- a/supabase/functions/process-expired-bans/index.ts
+++ b/supabase/functions/process-expired-bans/index.ts
@@ -1,11 +1,7 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 Deno.serve(async (req) => {
  // Handle CORS preflight
  if (req.method === 'OPTIONS') {
--- a/supabase/functions/process-oauth-profile/index.ts
+++ b/supabase/functions/process-oauth-profile/index.ts
@@ -1,12 +1,8 @@
 import "jsr:@supabase/functions-js/edge-runtime.d.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 const CLOUDFLARE_ACCOUNT_ID = Deno.env.get('CLOUDFLARE_ACCOUNT_ID');
 const CLOUDFLARE_API_TOKEN = Deno.env.get('CLOUDFLARE_IMAGES_API_TOKEN');

--- a/supabase/functions/process-scheduled-deletions/index.ts
+++ b/supabase/functions/process-scheduled-deletions/index.ts
@@ -1,12 +1,8 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 serve(async (req) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders });
--- a/supabase/functions/process-selective-approval/cors.ts
+++ b/supabase/functions/process-selective-approval/cors.ts
@@ -1,4 +0,0 @@
-export const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, traceparent, x-request-id',
-};
--- a/supabase/functions/process-selective-approval/index.ts
+++ b/supabase/functions/process-selective-approval/index.ts
@@ -1,6 +1,6 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
-import { corsHeaders } from './cors.ts';
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { rateLimiters, withRateLimit } from '../_shared/rateLimiter.ts';
 import { 
  edgeLogger, 
--- a/supabase/functions/process-selective-rejection/cors.ts
+++ b/supabase/functions/process-selective-rejection/cors.ts
@@ -1,4 +0,0 @@
-export const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, traceparent, x-request-id',
-};
--- a/supabase/functions/process-selective-rejection/index.ts
+++ b/supabase/functions/process-selective-rejection/index.ts
@@ -1,6 +1,6 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
-import { corsHeaders } from './cors.ts';
+import { corsHeadersWithTracing as corsHeaders } from '../_shared/cors.ts';
 import { rateLimiters, withRateLimit } from '../_shared/rateLimiter.ts';
 import { 
  edgeLogger, 
--- a/supabase/functions/receive-inbound-email/index.ts
+++ b/supabase/functions/receive-inbound-email/index.ts
@@ -1,14 +1,10 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";
 import { createErrorResponse } from "../_shared/errorSanitizer.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface InboundEmailPayload {
  from: string;
  to: string;
--- a/supabase/functions/remove-novu-subscriber/index.ts
+++ b/supabase/functions/remove-novu-subscriber/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 serve(async (req) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders });
--- a/supabase/functions/request-account-deletion/index.ts
+++ b/supabase/functions/request-account-deletion/index.ts
@@ -1,12 +1,8 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 serve(async (req) => {
  const tracking = startRequest();
  
--- a/supabase/functions/resend-deletion-code/index.ts
+++ b/supabase/functions/resend-deletion-code/index.ts
@@ -1,12 +1,8 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 serve(async (req) => {
  const tracking = startRequest();
  
--- a/supabase/functions/run-cleanup-jobs/index.ts
+++ b/supabase/functions/run-cleanup-jobs/index.ts
@@ -11,13 +11,9 @@
 */

 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface CleanupResult {
  idempotency_keys?: {
    deleted: number;
--- a/supabase/functions/scheduled-maintenance/index.ts
+++ b/supabase/functions/scheduled-maintenance/index.ts
@@ -1,13 +1,9 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from '../_shared/logger.ts';
 import { formatEdgeError } from '../_shared/errorFormatter.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 serve(async (req: Request) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders });
--- a/supabase/functions/seed-test-data/index.ts
+++ b/supabase/functions/seed-test-data/index.ts
@@ -1,11 +1,7 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface SeedOptions {
  preset: 'small' | 'medium' | 'large' | 'stress';
  entityTypes: string[];
--- a/supabase/functions/send-admin-email-reply/index.ts
+++ b/supabase/functions/send-admin-email-reply/index.ts
@@ -1,14 +1,10 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";
 import { createErrorResponse } from "../_shared/errorSanitizer.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface AdminReplyRequest {
  submissionId: string;
  replyBody: string;
--- a/supabase/functions/send-contact-message/index.ts
+++ b/supabase/functions/send-contact-message/index.ts
@@ -1,14 +1,10 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from "../_shared/logger.ts";
 import { createErrorResponse } from "../_shared/errorSanitizer.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface ContactSubmission {
  name: string;
  email: string;
--- a/supabase/functions/send-escalation-notification/index.ts
+++ b/supabase/functions/send-escalation-notification/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { withEdgeRetry } from '../_shared/retryHelper.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface EscalationRequest {
  submissionId: string;
  escalationReason: string;
--- a/supabase/functions/send-password-added-email/index.ts
+++ b/supabase/functions/send-password-added-email/index.ts
@@ -1,12 +1,8 @@
 import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 interface EmailRequest {
  email: string;
  displayName?: string;
--- a/supabase/functions/sync-all-moderators-to-topic/index.ts
+++ b/supabase/functions/sync-all-moderators-to-topic/index.ts
@@ -1,14 +1,10 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts';
 import { withEdgeRetry } from '../_shared/retryHelper.ts';

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 const TOPICS = {
  MODERATION_SUBMISSIONS: 'moderation-submissions',
  MODERATION_REPORTS: 'moderation-reports',
--- a/supabase/functions/trigger-notification/index.ts
+++ b/supabase/functions/trigger-notification/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 serve(async (req) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders });
--- a/supabase/functions/update-novu-preferences/index.ts
+++ b/supabase/functions/update-novu-preferences/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { Novu } from "npm:@novu/api@1.6.0";
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.57.4";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 serve(async (req) => {
  const tracking = startRequest('update-novu-preferences');

--- a/supabase/functions/update-novu-subscriber/index.ts
+++ b/supabase/functions/update-novu-subscriber/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { Novu } from "npm:@novu/api@1.6.0";
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger, startRequest, endRequest } from "../_shared/logger.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 serve(async (req) => {
  if (req.method === 'OPTIONS') {
    return new Response(null, { headers: corsHeaders });
--- a/supabase/functions/upload-image/index.ts
+++ b/supabase/functions/upload-image/index.ts
@@ -1,62 +1,10 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts"
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'
+import { getAllowedOrigin, getCorsHeaders } from '../_shared/cors.ts'
 import { edgeLogger, startRequest, endRequest } from '../_shared/logger.ts'
 import { rateLimiters, withRateLimit } from '../_shared/rateLimiter.ts'
 import { formatEdgeError } from '../_shared/errorFormatter.ts'

-// Environment-aware CORS configuration
-const getAllowedOrigin = (requestOrigin: string | null): string | null => {
-  // If no origin header, it's not a CORS request (same-origin or server-to-server)
-  if (!requestOrigin) {
-    return null;
-  }
-
-  const environment = Deno.env.get('ENVIRONMENT') || 'development';
-  
-  // Production allowlist - configure via ALLOWED_ORIGINS environment variable
-  // Format: comma-separated list of origins, e.g., "https://example.com,https://www.example.com"
-  const allowedOriginsEnv = Deno.env.get('ALLOWED_ORIGINS') || '';
-  const allowedOrigins = allowedOriginsEnv.split(',').filter(origin => origin.trim());
-  
-  // In development, only allow localhost and Replit domains - nothing else
-  if (environment === 'development') {
-    if (
-      requestOrigin.includes('localhost') ||
-      requestOrigin.includes('127.0.0.1') ||
-      requestOrigin.includes('.repl.co') ||
-      requestOrigin.includes('.replit.dev')
-    ) {
-      return requestOrigin;
-    }
-    // Origin not allowed in development - log and deny
-    edgeLogger.warn('CORS origin not allowed in development mode', { origin: requestOrigin });
-    return null;
-  }
-  
-  // In production, only allow specific domains from environment variable
-  if (allowedOrigins.includes(requestOrigin)) {
-    return requestOrigin;
-  }
-  
-  // Origin not allowed in production - log and deny
-  edgeLogger.warn('CORS origin not allowed in production mode', { origin: requestOrigin });
-  return null;
-};
-
-const getCorsHeaders = (allowedOrigin: string | null): Record<string, string> => {
-  // If no allowed origin, return empty headers (no CORS access)
-  if (!allowedOrigin) {
-    return {};
-  }
-  
-  return {
-    'Access-Control-Allow-Origin': allowedOrigin,
-    'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-    'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-    'Access-Control-Allow-Credentials': 'true',
-  };
-};
-
 // Helper to create authenticated Supabase client
 const createAuthenticatedSupabaseClient = (authHeader: string) => {
  const supabaseUrl = Deno.env.get('SUPABASE_URL')
--- a/supabase/functions/validate-email-backend/index.ts
+++ b/supabase/functions/validate-email-backend/index.ts
@@ -1,13 +1,9 @@
 import { serve } from "https://deno.land/std@0.168.0/http/server.ts";
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.39.3';
+import { corsHeaders } from '../_shared/cors.ts';
 import { edgeLogger } from "../_shared/logger.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
-};
-
 // Simple request tracking
 const startRequest = () => ({ requestId: crypto.randomUUID(), start: Date.now() });
 const endRequest = (tracking: { start: number }) => Date.now() - tracking.start;
--- a/supabase/functions/validate-email/index.ts
+++ b/supabase/functions/validate-email/index.ts
@@ -1,12 +1,8 @@
 import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
+import { corsHeaders } from '../_shared/cors.ts';
 import { startRequest, endRequest, edgeLogger } from "../_shared/logger.ts";
 import { formatEdgeError } from "../_shared/errorFormatter.ts";

-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type, x-request-id',
-};
-
 // Comprehensive list of disposable email domains
 const DISPOSABLE_DOMAINS = new Set([
  // Popular disposable email services