From db07c718b92e03d579577fe111b538c2a9a963dd Mon Sep 17 00:00:00 2001
From: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
Date: Wed, 23 Apr 2025 22:50:12 +0200
Subject: [PATCH] fix: only log if the request has an Origin header (#59920)

---
 api/src/plugins/cors.test.ts | 12 ++++++++++++
 api/src/plugins/cors.ts      |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/api/src/plugins/cors.test.ts b/api/src/plugins/cors.test.ts
index c23ca0dd889..e599d4744ed 100644
--- a/api/src/plugins/cors.test.ts
+++ b/api/src/plugins/cors.test.ts
@@ -32,4 +32,16 @@ describe('cors', () => {
       expect(spy).not.toHaveBeenCalled();
     });
   });
+
+  it('should not log if the origin is undefined', async () => {
+    const logger = fastify.log.child({ req: { url: '/api/some-endpoint' } });
+    const spies = LOG_LEVELS.map(level => jest.spyOn(logger, level));
+    await fastify.inject({
+      url: '/api/some-endpoint'
+    });
+
+    spies.forEach(spy => {
+      expect(spy).not.toHaveBeenCalled();
+    });
+  });
 });
diff --git a/api/src/plugins/cors.ts b/api/src/plugins/cors.ts
index 3c3bfb141fe..c41a155f5a7 100644
--- a/api/src/plugins/cors.ts
+++ b/api/src/plugins/cors.ts
@@ -22,7 +22,7 @@ const cors: FastifyPluginCallback = (fastify, _options, done) => {
       // @fastify/cors instead.
       void reply.header('Access-Control-Allow-Origin', HOME_LOCATION);
 
-      if (!req.url?.startsWith('/status/')) {
+      if (origin && !req.url?.startsWith('/status/')) {
         logger.info(`Received request from disallowed origin: ${origin}`);
       }
     }