NgodingCik · GTPSHAX · May 4, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
diff --git a/.env.example b/.env.example
@@ -1,11 +1,12 @@
 # --- App configuration ---
 APP_NAME="My App"
-APP_ORIGIN_URL="*"
+# Comma-separated list of allowed CORS
+APP_ORIGIN_HOSTS="*"
 APP_PORT=3000
 APP_HOST="0.0.0.0"
 # Base URL for API requests
 APP_API_BASE_URL=http://localhost:3000/api
-# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by OPENAI_API_BASE_URL and not use the built-in API routes)
+# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by APP_API_BASE_URL and not use the built-in API routes)
 APP_USE_BUILTIN_API=true
 
 # --- CORS configuration ---
@@ -17,4 +18,4 @@ CORS_TRUSTED_CDN_HOSTS="cdn.example.com"
 # --- OpenAI configuration ---
 OPENAI_API_KEY="your-openai-api-key-here"
 OPENAI_MODEL="gpt-3.5-turbo"
-OPENAI_API_BASE_URL="https://api.openai.com/v1"
+OPENAI_BASE_URL="https://api.openai.com/v1"
diff --git a/.env.schema b/.env.schema
@@ -1,11 +1,12 @@
 # --- App configuration ---
 APP_NAME=
-APP_ORIGIN_URL=
+# Comma-separated list of allowed CORS
+APP_ORIGIN_HOSTS=
 APP_PORT=
 APP_HOST=
 # Base URL for API requests
 APP_API_BASE_URL=
-# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by OPENAI_API_BASE_URL and not use the built-in API routes)
+# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by APP_API_BASE_URL and not use the built-in API routes)
 APP_USE_BUILTIN_API=
 
 # --- CORS configuration ---
@@ -17,4 +18,4 @@ CORS_TRUSTED_CDN_HOSTS=
 # --- OpenAI configuration ---
 OPENAI_API_KEY=
 OPENAI_MODEL=
-OPENAI_API_BASE_URL=
+OPENAI_BASE_URL=
diff --git a/apps/api/.env.example b/apps/api/.env.example
@@ -1,10 +1,15 @@
 # --- App configuration ---
-APP_ORIGIN_URL="*"
+APP_ORIGIN_HOSTS="*"
 APP_PORT=3000
 APP_HOST="0.0.0.0"
 
 # --- CORS configuration ---
 # Comma-separated list of trusted hosts for CORS validation
 CORS_TRUSTED_HOSTS="localhost,example.com"
 # Comma-separated list of trusted CDN hosts for CORS validation
-CORS_TRUSTED_CDN_HOSTS="cdn.example.com"
+CORS_TRUSTED_CDN_HOSTS="cdn.example.com"
+
+# --- OpenAI configuration ---
+OPENAI_API_KEY="your-openai-api-key-here"
+OPENAI_MODEL="gpt-3.5-turbo"
+OPENAI_BASE_URL="https://api.openai.com/v1"
diff --git a/apps/api/.env.schema b/apps/api/.env.schema
@@ -1,10 +1,15 @@
 # --- App configuration ---
-APP_ORIGIN_URL=
+APP_ORIGIN_HOSTS=
 APP_PORT=
 APP_HOST=
 
 # --- CORS configuration ---
 # Comma-separated list of trusted hosts for CORS validation
 CORS_TRUSTED_HOSTS=
 # Comma-separated list of trusted CDN hosts for CORS validation
-CORS_TRUSTED_CDN_HOSTS=
+CORS_TRUSTED_CDN_HOSTS=
+
+# --- OpenAI configuration ---
+OPENAI_API_KEY=
+OPENAI_MODEL=
+OPENAI_BASE_URL=
diff --git a/apps/api/boot.js b/apps/api/boot.js
@@ -0,0 +1,7 @@
+import { config } from 'dotenv'
+import { getEnvPath } from '@repo/utils/utils.js'
+
+const envPath = getEnvPath()
+config({ path: envPath || undefined, override: true })
+
+import('./index.js')
diff --git a/apps/api/middleware/cors.js b/apps/api/middleware/cors.js
@@ -1,37 +1,23 @@
 import consola from 'consola'
 
-const APP_ORIGIN_URL = process.env.APP_ORIGIN_URL || 'http://localhost:3000'
-const APP_ORIGIN_HOST = new URL(APP_ORIGIN_URL).host
+const APP_ORIGIN_HOSTS = process.env.APP_ORIGIN_HOSTS || 'localhost'
 const isDevelopment = process.env.NODE_ENV !== 'production'
 
-if (!APP_ORIGIN_URL) {
-  throw new Error('APP_ORIGIN_URL environment variable is required')
-}
-
-/**
- * Helper function to check if the request host is allowed based on the configured APP_ORIGIN_URL.
- * @param {string | undefined} host - The host from the request headers (e.g., 'localhost:3000')
- * @returns {boolean}
- */
-const isHostAllowed = (host) => {
-  if (!host) {
-    return isDevelopment
-  }
-
-  return host === APP_ORIGIN_HOST
-}
+// Support wildcard '*' or comma-separated list of full origin URLs
+// e.g. APP_ORIGIN_HOSTS="modul-ajar.web.id,test.modul-ajar.web.id"
+const ALLOWED_ORIGINS = APP_ORIGIN_HOSTS === '*'
+  ? '*'
+  : APP_ORIGIN_HOSTS.split(',').map(o => o.trim())
 
 /**
- * Helper function to check if the request origin is allowed based on the configured APP_ORIGIN_URL.
- * @param {string} origin - The origin from the request headers (e.g., 'http://localhost:3000')
+ * Helper function to check if the request origin is allowed.
+ * @param {string | undefined} origin - The origin from the request headers (e.g., 'https://modul-ajar.web.id')
  * @returns {boolean}
  */
 const isOriginAllowed = (origin) => {
-  if (!origin) {
-    return isDevelopment
-  }
-
-  return origin === APP_ORIGIN_HOST
+  if (!origin) return isDevelopment
+  if (ALLOWED_ORIGINS === '*') return true
+  return ALLOWED_ORIGINS.includes(origin)
 }
 
 /**
@@ -42,13 +28,38 @@ const isOriginAllowed = (origin) => {
  * @returns {import('express').Response | void}
  */
 const cors = (req, res, next) => {
-  const origin = req.headers.origin || req.headers.host || ''
-  consola.debug(`CORS check - Origin: ${origin}, Host: ${req.headers.host}`)
+  const originHeader = req.headers.origin || req.get('origin') || ''
+
+  let origin = ''
+  let fullUrl = ''
+
+  if (originHeader) {
+    try {
+      const urlObj = new URL(originHeader)
+      origin = urlObj.hostname
+      fullUrl = originHeader
+    } catch (e) {
+      origin = originHeader
+      fullUrl = originHeader
+    }
+  } else {
+    // Fallback if no origin is provided (e.g., direct API calls)
+    const hostHeader = String(req.get('host') || '')
+    origin = hostHeader.split(':')[0]
+    fullUrl = req.protocol + '://' + hostHeader
+  }
+
+  consola.debug(`CORS check - Origin Header: ${originHeader}, Extracted Origin: ${origin}, URL: ${fullUrl}`)
 
   res.header('Vary', 'Origin')
 
-  if (isOriginAllowed(origin)) {
-    res.header('Access-Control-Allow-Origin', origin)
+  const IS_ALLOWED = isOriginAllowed(origin)
+  consola.debug(`CORS allowed: ${IS_ALLOWED} for origin: ${origin}`)
+
+  if (ALLOWED_ORIGINS === '*') {
+    res.header('Access-Control-Allow-Origin', '*')
+  } else if (origin && IS_ALLOWED) {
+    res.header('Access-Control-Allow-Origin', fullUrl)
   }
 
   if (req.url.startsWith('/api/')) {
@@ -64,7 +75,7 @@ const cors = (req, res, next) => {
     return res.sendStatus(204)
   }
 
-  if (!isOriginAllowed(origin) && !isHostAllowed(req.headers.host)) {
+  if (!isOriginAllowed(origin)) {
     consola.warn(`CORS blocked - origin not allowed: ${origin}`)
     return res.status(403).json({ status: false, message: '403 Forbidden', error: null })
   }

diff --git a/apps/api/middleware/helmet.js b/apps/api/middleware/helmet.js
@@ -13,7 +13,7 @@ const helmetMiddleware = helmet({
 
       'upgrade-insecure-requests': isDevelopment ? null : [],
       'frame-ancestors': ["'self'", ...CORS_TRUSTED_HOSTS],
-      'script-src': ["'self'", "'unsafe-inline'", ...CORS_TRUSTED_CDN_HOSTS],
+      'script-src': ["'self'", "'unsafe-inline'", 'https://static.cloudflareinsights.com', ...CORS_TRUSTED_CDN_HOSTS],
       'style-src': ["'self'", "'unsafe-inline'", ...CORS_TRUSTED_CDN_HOSTS],
       'img-src': ["'self'", 'data:', 'https://contrib.rocks', ...CORS_TRUSTED_CDN_HOSTS],
       'font-src': ["'self'", ...CORS_TRUSTED_CDN_HOSTS]

diff --git a/apps/api/package.json b/apps/api/package.json
@@ -4,14 +4,16 @@
   "description": "API for the Modul Ajar Generator",
   "main": "index.js",
   "scripts": {
-    "start": "node index.js",
-    "dev": "npx nodemon index.js"
+    "start": "cross-env NODE_ENV=production node boot.js",
+    "dev": "cross-env NODE_ENV=development npx nodemon boot.js"
   },
   "keywords": [],
   "author": "NgodingCik",
   "license": "Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)",
   "type": "module",
   "dependencies": {
+    "@repo/handlers": "^1.0.0",
+    "@repo/utils": "^1.0.0",
     "consola": "^3.4.2",
     "dotenv": "^17.4.2",
     "express": "^5.2.1",

diff --git a/apps/api/vercel.json b/apps/api/vercel.json
@@ -0,0 +1,35 @@
+{
+  "version": 2,
+  "builds": [
+    {
+      "src": "index.js",
+      "use": "@vercel/node",
+      "config": {
+        "bundle": false,
+        "includeFiles": [
+          "**",
+          "../../packages/**",
+          "../../context/**",
+          "../../public/**",
+          "../../assets/**",
+          "../../resources/**",
+          "../../node_modules/@repo/**",
+          "../../node_modules/openai/**",
+          "../../node_modules/consola/**",
+          "../../node_modules/dotenv/**",
+          "../../node_modules/express/**",
+          "../../node_modules/docx/**",
+          "../../node_modules/@dqbd/**",
+          "../../node_modules/express-rate-limit/**",
+          "../../node_modules/helmet/**"
+        ]
+      }
+    }
+  ],
+  "rewrites": [
+    {
+      "source": "/(.*)",
+      "destination": "/index.js"
+    }
+  ]
+}
diff --git a/apps/web/.env.example b/apps/web/.env.example
@@ -1,11 +1,12 @@
 # --- App configuration ---
 APP_NAME="My App"
-APP_ORIGIN_URL="*"
+# Comma-separated list of allowed CORS
+APP_ORIGIN_HOSTS="*"
 APP_PORT=3000
 APP_HOST="0.0.0.0"
 # Base URL for API requests
 APP_API_BASE_URL=http://localhost:3000/api
-# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by OPENAI_API_BASE_URL and not use the built-in API routes)
+# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by APP_API_BASE_URL and not use the built-in API routes)
 APP_USE_BUILTIN_API=true
 
 # --- CORS configuration ---
@@ -17,4 +18,4 @@ CORS_TRUSTED_CDN_HOSTS="cdn.example.com"
 # --- OpenAI configuration ---
 OPENAI_API_KEY="your-openai-api-key-here"
 OPENAI_MODEL="gpt-3.5-turbo"
-OPENAI_API_BASE_URL="https://api.openai.com/v1"
+OPENAI_BASE_URL="https://api.openai.com/v1"
diff --git a/apps/web/.env.schema b/apps/web/.env.schema
@@ -1,11 +1,12 @@
 # --- App configuration ---
 APP_NAME=
-APP_ORIGIN_URL=
+# Comma-separated list of allowed CORS
+APP_ORIGIN_HOSTS=
 APP_PORT=
 APP_HOST=
 # Base URL for API requests
 APP_API_BASE_URL=
-# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by OPENAI_API_BASE_URL and not use the built-in API routes)
+# Flag to determine whether to use the built-in API or an external API (if true, it will use the built-in API; if false, it will use the external API defined by APP_API_BASE_URL and not use the built-in API routes)
 APP_USE_BUILTIN_API=
 
 # --- CORS configuration ---
@@ -17,4 +18,4 @@ CORS_TRUSTED_CDN_HOSTS=
 # --- OpenAI configuration ---
 OPENAI_API_KEY=
 OPENAI_MODEL=
-OPENAI_API_BASE_URL=
+OPENAI_BASE_URL=
diff --git a/apps/web/boot.js b/apps/web/boot.js
@@ -0,0 +1,7 @@
+import { config } from 'dotenv'
+import { getEnvPath } from '@repo/utils/utils.js'
+
+const envPath = getEnvPath()
+config({ path: envPath || undefined, override: true })
+
+import('./index.js')