feat(decap-server): Allow the server to be run securely

[palant]

Summary

The documentation currently says:

Note: decap-server runs an unauthenticated express server. As any client can send requests to the server, it should only be used for local development.

This is fair but it is also unnecessary. The server can be restricted in such a way that it is safe to use.

I introduced two optional environment variables to configure decap-server. The BIND_HOST variable allows binding to 127.0.0.1 rather than all IP addresses. And ORIGIN allows restricting CORS responses to a specific origin rather that allowing the API to be accessed from any server.

Note that I would have preferred making BIND_HOST=localhost the default. I didn’t want to introduce backwards incompatible changes however.

Test plan

Running npm run start still allows connecting to both http://localhost:8081/ and http://<public_ip>:8081>/. The responses contain the HTTP header Access-Content-Allow-Origin: * as before this change.

Running BIND_HOST=localhost npm run start allows connecting to http://localhost:8081/ but connections to http://<public_ip>:8081>/ are no longer possible. It’s a purely local server now.

Running ORIGIN=https://example.com npm run start changes the HTTP header in responses to Access-Content-Allow-Origin: https://example.com. The server can no longer be accessed by arbitrary websites.

Tests complain about port being number | string whereas number is expected. This is unrelated to my change but I’ve fixed it.

Checklist

Please add a x inside each checkbox:

• I have read the contribution guidelines.

I’ve also noticed that the script required for npm run format doesn’t actually exist. I guess npm run lint is meant here which for me errors out due to two warnings unrelated to my changes – but for some reason it succeeds in the CI runs (are these running an older lint version?).

🐈

[Copilot]

Pull Request Overview

This PR adds security configuration options to the decap-server to allow it to be run more securely by introducing host binding and CORS origin restrictions. The changes enable developers to restrict server access to localhost only and limit API requests to specific origins.

• Added BIND_HOST environment variable to control which IP address the server binds to
• Added ORIGIN environment variable to configure CORS origin restrictions instead of allowing all origins
• Fixed type issue with port parsing to ensure it's always a number

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
packages/decap-server/src/index.ts	Added host binding configuration and port parsing fix
packages/decap-server/src/middlewares/common/index.ts	Updated CORS configuration to use ORIGIN environment variable
packages/decap-server/README.md	Added documentation for new environment variables

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[martinjagodic]

@palant run npm run format to fix the formatting error

[martinjagodic]

@palant can you review the docs update about this PR? Is all info here correct, could something be better written? decaporg/decap-website#140