From 9cb6677e9f5734c9af00a334ee2bf74840dffcec Mon Sep 17 00:00:00 2001
From: Sem Bauke <semboot699@gmail.com>
Date: Mon, 3 Mar 2025 14:44:37 +0100
Subject: [PATCH] feat(api): log disallowed origins  (#59059)

---
 api/src/plugins/cors.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/src/plugins/cors.ts b/api/src/plugins/cors.ts
index 58ed68cdb35..b26c1718259 100644
--- a/api/src/plugins/cors.ts
+++ b/api/src/plugins/cors.ts
@@ -10,8 +10,10 @@ const cors: FastifyPluginCallback = (fastify, _options, done) => {
   });
 
   fastify.addHook('onRequest', async (req, reply) => {
+    const logger = fastify.log.child({ req });
     const origin = req.headers.origin;
     if (origin && allowedOrigins.includes(origin)) {
+      // Do we want to log allowed origins?
       void reply.header('Access-Control-Allow-Origin', origin);
     } else {
       // TODO: Discuss if this is the correct approach. Standard practice is to
@@ -19,6 +21,7 @@ const cors: FastifyPluginCallback = (fastify, _options, done) => {
       // separately. If we switch to that approach we can replace use
       // @fastify/cors instead.
       void reply.header('Access-Control-Allow-Origin', HOME_LOCATION);
+      logger.debug(`Received request from disallowed origin: ${origin}`);
     }
 
     void reply