underpost 2.8.884 → 2.8.885

package/src/db/mongo/MongooseDB.js

@@ -1,152 +1,70 @@
 import mongoose from 'mongoose';
 import { loggerFactory } from '../../server/logger.js';
 import { getCapVariableName } from '../../client/components/core/CommonJs.js';
-import { shellCd, shellExec } from '../../server/process.js';
+
+/**
+ * Module for connecting to and loading models for a MongoDB database using Mongoose.
+ * @module src/db/MongooseDB.js
+ * @namespace MongooseDBNamespace
+ */
 
 const logger = loggerFactory(import.meta);
 
-const MongooseDB = {
-  connect: async (host, name) => {
+/**
+ * @class
+ * @alias MongooseDBService
+ * @memberof MongooseDBNamespace
+ * @classdesc Manages the Mongoose connection lifecycle and dynamic loading of database models
+ * based on API configuration.
+ */
+class MongooseDBService {
+  /**
+   * Establishes a Mongoose connection to the specified MongoDB instance.
+   *
+   * @async
+   * @param {string} host - The MongoDB host (e.g., 'mongodb://localhost:27017').
+   * @param {string} name - The database name.
+   * @returns {Promise<mongoose.Connection>} A promise that resolves to the established Mongoose connection object.
+   */
+  async connect(host, name) {
     const uri = `${host}/${name}`;
-    // logger.info('MongooseDB connect', { host, name, uri });
+    logger.info('MongooseDB connect', { host, name, uri });
     return await mongoose
       .createConnection(uri, {
-        // useNewUrlParser: true,
-        // useUnifiedTopology: true,
+        // Options like useNewUrlParser and useUnifiedTopology are often set here.
       })
       .asPromise();
-    return new Promise((resolve, reject) =>
-      mongoose
-        .connect(
-          uri,
-          // ,{
-          //   useNewUrlParser: true,
-          //   useUnifiedTopology: true,
-          // }
-        )
-        .then((db) => {
-          logger.info(`db connected`, uri);
-          return resolve(db);
-        })
-        .catch((err) => {
-          logger.error(err, { host, name, error: err.stack });
-          // return reject(err);
-          return resolve(undefined);
-        }),
-    );
-  },
-  loadModels: async function (options = { apis: ['test'], conn: new mongoose.Connection() }) {
+  }
+
+  /**
+   * Dynamically loads Mongoose models for a list of APIs and binds them to the given connection.
+   *
+   * @async
+   * @param {object} [options] - Options for model loading.
+   * @param {Array<string>} [options.apis=['test']] - List of API names (folders) to load models from.
+   * @param {mongoose.Connection} [options.conn=new mongoose.Connection()] - The active Mongoose connection.
+   * @returns {Promise<object>} A promise that resolves to an object map of loaded Mongoose models.
+   */
+  async loadModels(options = { apis: ['test'], conn: new mongoose.Connection() }) {
     const { conn, apis } = options;
     const models = {};
     for (const api of apis) {
+      // Dynamic import of the model file
       const { ProviderSchema } = await import(`../../api/${api}/${api}.model.js`);
-      const keyModel = getCapVariableName(api);
+      const keyModel = getCapVariableName(api); // Assuming this returns a capitalized model name
       models[keyModel] = conn.model(keyModel, ProviderSchema);
     }
 
     return models;
-  },
-  server: async function () {
-    logger.info('platform', process.platform);
-    switch (process.platform) {
-      case 'win32':
-        {
-          // https://www.mongodb.com/docs/v7.0/tutorial/install-mongodb-on-windows-unattended/
-
-          // C:\Program Files\MongoDB\Tools\100\bin
-
-          const urlDownload = `https://fastdl.mongodb.org/windows/mongodb-windows-x86_64-7.0.14-signed.msi`;
-          const folderPath = `./engine-private/setup`;
-          if (!fs.existsSync(folderPath)) fs.mkdirSync(folderPath, { recursive: true });
-          const fullPath = `${folderPath}/${urlDownload.split('/').pop()}`;
-          logger.info('destination', fullPath);
-          shellCd(folderPath);
-        }
-        break;
-      case 'linux':
-        {
-          if (!process.argv.includes('server')) {
-            logger.info('remove');
-            shellExec(`sudo apt-get purge mongodb-org*`);
-            shellExec(`sudo rm -r /var/log/mongodb`);
-            shellExec(`sudo rm -r /var/lib/mongodb`);
-            // restore lib
-            // shellExec(`sudo chown -R mongodb:mongodb /var/lib/mongodb/*`);
-            // mongod --repair
-
-            if (process.argv.includes('legacy')) {
-              // TODO:
-              if (process.argv.includes('rocky')) {
-                // https://github.com/mongodb/mongodb-selinux
-                // https://www.mongodb.com/docs/v7.0/tutorial/install-mongodb-enterprise-on-red-hat/
-                // https://www.mongodb.com/docs/v6.0/tutorial/install-mongodb-on-red-hat/
-                // https://www.mongodb.com/docs/v4.4/tutorial/install-mongodb-on-red-hat/
-                // dnf install selinux-policy-devel
-                // git clone https://github.com/mongodb/mongodb-selinux
-                // cd mongodb-selinux
-                // make
-                // sudo make install
-                // yum list installed | grep mongo
-                // sudo yum erase $(rpm -qa | grep mongodb)
-                // remove service
-                // sudo systemctl reset-failed
-                // MongoDB 5.0+ requires a CPU with AVX support
-                // check: grep avx /proc/cpuinfo
-              }
-              logger.info('install legacy 4.4');
-              shellExec(`wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -`);
-
-              shellExec(
-                `echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list`,
-              );
-
-              shellExec(`sudo apt-get update`);
-
-              shellExec(
-                `sudo apt-get install mongodb-org=4.4.8 mongodb-org-server=4.4.8 mongodb-org-shell=4.4.8 mongodb-org-mongos=4.4.8 mongodb-org-tools=4.4.8`,
-              );
-            } else {
-              logger.info('install 7.0');
-              shellExec(`curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \
-   sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
-   --dearmor`);
-              shellExec(
-                `echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list`,
-              );
-
-              shellExec(`sudo apt-get update`);
-
-              shellExec(`sudo apt-get install -y mongodb-org`);
-            }
-          }
-          logger.info('clean server environment');
-          shellExec(`sudo service mongod stop`);
-          shellExec(`sudo systemctl unmask mongod`);
-          shellExec(`sudo pkill -f mongod`);
-          shellExec(`sudo systemctl enable mongod.service`);
-
-          shellExec(`sudo chown -R mongodb:mongodb /var/lib/mongodb`);
-          shellExec(`sudo chown mongodb:mongodb /tmp/mongodb-27017.sock`);
-
-          shellExec(`sudo chown -R mongod:mongod /var/lib/mongodb`);
-          shellExec(`sudo chown mongod:mongod /tmp/mongodb-27017.sock`);
-
-          logger.info('run server');
-          shellExec(`sudo service mongod restart`);
-
-          const checkStatus = () => {
-            logger.info('check status');
-            shellExec(`sudo systemctl status mongod`);
-            shellExec(`sudo systemctl --type=service | grep mongod`);
-          };
-
-          checkStatus();
-        }
-        break;
-      default:
-        break;
-    }
-  },
-};
-
-export { MongooseDB };
+  }
+}
+
+/**
+ * Singleton instance of the MongooseDBService class for backward compatibility.
+ * @alias MongooseDB
+ * @memberof MongooseDBNamespace
+ * @type {MongooseDBService}
+ */
+const MongooseDB = new MongooseDBService();
+
+export { MongooseDB, MongooseDBService as MongooseDBClass };

package/src/index.js

@@ -35,7 +35,7 @@ class Underpost {
    * @type {String}
    * @memberof Underpost
    */
-  static version = 'v2.8.884';
+  static version = 'v2.8.885';
   /**
    * Repository cli API
    * @static

package/src/mailer/EmailRender.js

@@ -1,7 +1,31 @@
 import { ssrFactory } from '../server/ssr.js';
 
-const EmailRender = {
-  style: {
+/**
+ * Module for handling the rendering and styling of HTML emails using SSR components.
+ * @module src/mailer/EmailRender.js
+ * @namespace EmailRenderNamespace
+ */
+
+/**
+ * @class
+ * @alias EmailRenderService
+ * @memberof EmailRenderNamespace
+ * @classdesc Utility class for managing CSS styles and rendering email templates using
+ * Server-Side Rendering (SSR) components.
+ */
+class EmailRenderService {
+  /**
+   * Defines the base CSS styles for different elements within the email template.
+   * Keys are CSS selectors (or class names), and values are objects of CSS properties.
+   * @type {object.<string, object.<string, string>>}
+   * @property {object} body - Styles for the main email body wrapper.
+   * @property {object} .container - Styles for the main content container.
+   * @property {object} h1 - Styles for primary headings.
+   * @property {object} p - Styles for standard paragraphs.
+   * @property {object} button - Styles for call-to-action buttons.
+   * @property {object} .footer - Styles for the email footer.
+   */
+  style = {
     body: {
       'font-family': 'Arial, sans-serif',
       'background-color': '#f4f4f4',
@@ -46,22 +70,47 @@ const EmailRender = {
       'font-size': '14px',
       color: '#999999',
     },
-  },
-  renderStyle: function (classObj) {
+  };
+
+  /**
+   * Converts a style object defined in the `this.style` property into a CSS style string.
+   *
+   * @param {string} classObj - The key corresponding to a style object in `this.style`.
+   * @returns {string} A string containing inline CSS properties (e.g., ` property: value;`).
+   */
+  renderStyle(classObj) {
+    if (!this.style[classObj]) return '';
     return Object.keys(this.style[classObj])
       .map((classKey) => ` ${classKey}: ${this.style[classObj][classKey]};`)
       .join(``);
-  },
+  }
 
-  getTemplates: async function (options = { templates: {} }) {
+  /**
+   * Loads and renders email templates using the SSR factory.
+   *
+   * @async
+   * @param {object} [options] - Options containing the template names.
+   * @param {object.<string, string>} [options.templates={}] - Map of template keys to their SSR component file names.
+   * @returns {Promise<object.<string, string>>} A promise that resolves to an object map of rendered HTML email strings.
+   */
+  async getTemplates(options = { templates: {} }) {
     const templates = {};
     for (const templateKey of Object.keys(options.templates)) {
       const ssrEmailComponent = options.templates[templateKey];
+      // Note: ssrFactory is assumed to load and return a functional component/function
       const SrrComponent = await ssrFactory(`./src/client/ssr/mailer/${ssrEmailComponent}.js`);
       templates[templateKey] = SrrComponent(this, options);
     }
     return templates;
-  },
-};
+  }
+}
+
+/**
+ * Singleton instance of the EmailRenderService class for backward compatibility.
+ * @alias EmailRender
+ * @memberof EmailRenderNamespace
+ * @type {EmailRenderService}
+ */
+const EmailRender = new EmailRenderService();
 
-export { EmailRender };
+export { EmailRender, EmailRenderService as EmailRenderClass };

package/src/mailer/MailerProvider.js

@@ -2,11 +2,66 @@ import nodemailer from 'nodemailer';
 import { loggerFactory } from '../server/logger.js';
 import { EmailRender } from './EmailRender.js';
 
+/**
+ * Module for configuring and sending emails using Nodemailer.
+ * @module src/mailer/MailerProvider.js
+ * @namespace MailerProviderNamespace
+ */
+
 const logger = loggerFactory(import.meta);
 
-const MailerProvider = {
-  instance: {},
-  load: async function (
+/**
+ * @typedef {object} MailerOptions
+ * @property {string} id - Unique identifier for the mailer configuration.
+ * @property {string} [meta='mailer'] - Meta identifier for logging/context.
+ * @property {object} sender - The default sender details.
+ * @property {string} sender.email - The default sender email address.
+ * @property {string} sender.name - The default sender name.
+ * @property {object} transport - Nodemailer transport configuration.
+ * @property {string} transport.host - SMTP host.
+ * @property {number} [transport.port=587] - SMTP port.
+ * @property {boolean} [transport.secure=false] - Use TLS (true for 465, false for other ports).
+ * @property {object} transport.auth - Authentication details.
+ * @property {string} transport.auth.user - Username.
+ * @property {string} transport.auth.pass - Password.
+ * @property {string} [host=''] - Application host for context.
+ * @property {string} [path=''] - Application path for context.
+ * @property {object.<string, string>} templates - Map of template keys to SSR component file names.
+ */
+
+/**
+ * @class
+ * @alias MailerProviderService
+ * @memberof MailerProviderNamespace
+ * @classdesc Manages multiple Nodemailer transporter instances and handles loading of
+ * email templates and sending emails.
+ */
+class MailerProviderService {
+  /**
+   * Internal storage for mailer instances (transporters, options, templates), keyed by ID.
+   * @type {object.<string, object>}
+   * @private
+   */
+  #instance = {};
+
+  /**
+   * Retrieves the internal instance storage for direct access (used for backward compatibility).
+   * @returns {object.<string, object>} The internal mailer instance map.
+   */
+  get instance() {
+    return this.#instance;
+  }
+
+  /**
+   * Loads and initializes a new mailer provider instance using Nodemailer.
+   * The created instance is stored internally and includes the transporter and rendered templates.
+   *
+   * @async
+   * @param {MailerOptions} [options] - Configuration options for the mailer instance.
+   * @returns {Promise<object|undefined>} A promise that resolves to the initialized mailer instance
+   * object, or `undefined` on error.
+   */
+  async load(
     options = {
       id: '',
       meta: 'mailer',
@@ -33,18 +88,13 @@ const MailerProvider = {
   ) {
     try {
       options.transport.tls = {
-        rejectUnauthorized: false,
+        rejectUnauthorized: false, // allows self-signed certs for local/dev
       };
       const { id } = options;
-      // Generate test SMTP service account from ethereal.email
-      // Only needed if you don't have a real mail account for testing
-      // let testAccount = await nodemailer.createTestAccount();
 
-      // create reusable transporter object using the default SMTP transport
       const transporter = nodemailer.createTransport(options.transport);
 
-      // console.log('load logger', { url: options.meta });
-      this.instance[id] = {
+      this.#instance[id] = {
         ...options,
         transporter,
         templates: await EmailRender.getTemplates(options),
@@ -87,13 +137,28 @@ const MailerProvider = {
         },
       };
 
-      return this.instance[id];
+      return this.#instance[id];
     } catch (error) {
       logger.error(error, error.stack);
       return undefined;
     }
-  },
-  send: async function (
+  }
+
+  /**
+   * Sends an email using a previously loaded transporter instance.
+   *
+   * @async
+   * @param {object} [options] - Options for sending the email.
+   * @param {string} options.id - The ID of the mailer instance/transporter to use.
+   * @param {object} options.sendOptions - Nodemailer mail options.
+   * @param {string} [options.sendOptions.from] - Sender address (defaults to loaded instance sender).
+   * @param {string} options.sendOptions.to - List of receivers (comma-separated).
+   * @param {string} options.sendOptions.subject - Subject line.
+   * @param {string} [options.sendOptions.text] - Plain text body.
+   * @param {string} [options.sendOptions.html] - HTML body.
+   * @returns {Promise<object|undefined>} A promise that resolves to the Nodemailer `info` object, or `undefined` on error.
+   */
+  async send(
     options = {
       id: '',
       sendOptions: {
@@ -114,26 +179,34 @@ const MailerProvider = {
   ) {
     try {
       const { id, sendOptions } = options;
-      if (!sendOptions.from) sendOptions.from = `${this.instance[id].sender.name} <${this.instance[id].sender.email}>`;
+      const instance = this.#instance[id];
 
-      // send mail with defined transport object
-      const info = await this.instance[id].transporter.sendMail(sendOptions);
+      if (!instance) {
+        logger.error(`Mailer instance with ID '${id}' not loaded.`);
+        return undefined;
+      }
 
-      // console.log('Message sent: %s', info.messageId);
-      // logger.info('Message sent', info);
+      if (!sendOptions.from) sendOptions.from = `${instance.sender.name} <${instance.sender.email}>`;
 
-      // Message sent: <b658f8ca-6296-ccf4-8306-87d57a0b4321@example.com>
+      // send mail with defined transport object
+      const info = await instance.transporter.sendMail(sendOptions);
 
-      // Preview only available when sending through an Ethereal account
-      // console.log("Preview URL: %s", nodemailer.getTestMessageUrl(info));
-      // Preview URL: https://ethereal.email/message/WaQKMgKddxQDoou...
+      // logger.info('Message sent', info);
 
       return info;
     } catch (error) {
       logger.error(error, error.stack);
       return undefined;
     }
-  },
-};
+  }
+}
+
+/**
+ * Singleton instance of the MailerProviderService class for backward compatibility.
+ * @alias MailerProvider
+ * @memberof MailerProviderNamespace
+ * @type {MailerProviderService}
+ */
+const MailerProvider = new MailerProviderService();
 
-export { MailerProvider };
+export { MailerProvider, MailerProviderService as MailerProviderClass };

package/src/runtime/express/Express.js

@@ -50,7 +50,6 @@ class ExpressService {
    * @param {boolean} [config.peer] - Whether to enable the peer server.
    * @param {object} [config.valkey] - Valkey connection configuration.
    * @param {string} [config.apiBaseHost] - Base host for the API (if running separate API).
-   * @param {number} [config.devApiPort] - The dynamically calculated development API port used for CORS in dev mode.
    * @param {string} config.redirectTarget - The full target URL for redirection (used if `redirect` is true).
    * @param {string} config.rootHostPath - The root path for public host assets (e.g., `/public/hostname`).
    * @param {object} config.confSSR - The SSR configuration object, used to look up Mailer templates.
@@ -73,7 +72,6 @@ class ExpressService {
     peer,
     valkey,
     apiBaseHost,
-    devApiPort, // New parameter for dev environment CORS
     redirectTarget,
     rootHostPath,
     confSSR,
@@ -131,35 +129,6 @@ class ExpressService {
     // Static file serving
     app.use('/', express.static(directory ? directory : `.${rootHostPath}`));
 
-    // Swagger path definition
-    const swaggerJsonPath = `./public/${host}${path === '/' ? path : `${path}/`}swagger-output.json`;
-    const swaggerPath = `${path === '/' ? `/api-docs` : `${path}/api-docs`}`;
-
-    // Flag swagger requests before security middleware
-    if (fs.existsSync(swaggerJsonPath)) {
-      app.use(swaggerPath, (req, res, next) => {
-        res.locals.isSwagger = true;
-        next();
-      });
-    }
-
-    // Security and CORS
-    applySecurity(app, {
-      origin: (origin, callback) => {
-        // Use devApiPort if provided to calculate the allowed development CORS origin
-        const devOrigin =
-          apis && process.env.NODE_ENV === 'development' && devApiPort ? [`http://localhost:${devApiPort}`] : [];
-
-        const allowedOrigins = origins.concat(devOrigin);
-
-        if (!origin || allowedOrigins.includes(origin)) {
-          callback(null, true);
-        } else {
-          callback(new Error('Not allowed by CORS'));
-        }
-      },
-    });
-
     // Handle redirection-only instances
     if (redirect) {
       app.use((req, res, next) => {
@@ -174,9 +143,20 @@ class ExpressService {
 
     // Create HTTP server for regular instances (required for WebSockets)
     const server = createServer({}, app);
-    if (peer) portsUsed++; // Peer server uses one additional port
 
     if (!apiBaseHost) {
+      // Swagger path definition
+      const swaggerJsonPath = `./public/${host}${path === '/' ? path : `${path}/`}swagger-output.json`;
+      const swaggerPath = `${path === '/' ? `/api-docs` : `${path}/api-docs`}`;
+
+      // Flag swagger requests before security middleware
+      if (fs.existsSync(swaggerJsonPath)) {
+        app.use(swaggerPath, (req, res, next) => {
+          res.locals.isSwagger = true;
+          next();
+        });
+      }
+
       // Swagger UI setup
       if (fs.existsSync(swaggerJsonPath)) {
         const swaggerDoc = JSON.parse(fs.readFileSync(swaggerJsonPath, 'utf8'));
@@ -184,6 +164,11 @@ class ExpressService {
         app.use(swaggerPath, swaggerUi.serve, swaggerUi.setup(swaggerDoc));
       }
 
+      // Security and CORS
+      applySecurity(app, {
+        origin: origins,
+      });
+
       // Database and Valkey connections
       if (db && apis) await DataBaseProvider.load({ apis, host, path, db });
       if (valkey) await createValkeyConnection({ host, path }, valkey);
@@ -216,10 +201,10 @@ class ExpressService {
       // WebSocket server setup
       if (ws) {
         const { createIoServer } = await import(`../../ws/${ws}/${ws}.ws.server.js`);
-        const { options, meta } = await createIoServer(server, { host, path, db, port, origins });
+        const { options, meta, ioServer } = await createIoServer(server, { host, path, db, port, origins });
 
         // Listen on the main port for the WS server
-        await UnderpostStartUp.API.listenPortController(UnderpostStartUp.API.listenServerFactory(), port, {
+        await UnderpostStartUp.API.listenPortController(ioServer, port, {
           runtime: 'nodejs',
           client: null,
           host,
@@ -230,6 +215,7 @@ class ExpressService {
 
       // Peer server setup
       if (peer) {
+        portsUsed++; // Peer server uses one additional port
         const peerPort = newInstance(port + portsUsed); // portsUsed is 1 here
         const { options, meta, peerServer } = await createPeerServer({
           port: peerPort,

package/src/server/auth.js

@@ -325,33 +325,13 @@ const validatePasswordMiddleware = (req) => {
 /**
  * Creates cookie options for the refresh token.
  * @param {import('express').Request} req The Express request object.
+ * @param {string} host The host name.
  * @returns {object} Cookie options.
  * @memberof Auth
  */
-const cookieOptionsFactory = (req) => {
+const cookieOptionsFactory = (req, host) => {
   const isProduction = process.env.NODE_ENV === 'production';
 
-  // Determine hostname safely:
-  // Prefer origin header if present (it contains protocol + host)
-  let candidateHost = undefined;
-  try {
-    if (req.headers && req.headers.origin) {
-      candidateHost = new URL(req.headers.origin).hostname;
-    }
-  } catch (e) {
-    /* ignore parse error */
-    logger.error(e);
-  }
-
-  // fallback to req.hostname (Express sets this; ensure trust proxy if behind proxy)
-  if (!candidateHost) candidateHost = (req.hostname || '').split(':')[0];
-
-  candidateHost = (candidateHost || '').trim().replace(/^www\./i, '');
-
-  // Do not set domain for localhost, 127.x.x.x, or plain IPs
-  const isIpOrLocal = /^(localhost|127(?:\.\d+){0,2}\.\d+|\[::1\]|\d+\.\d+\.\d+\.\d+)$/i.test(candidateHost);
-  const domain = isProduction && candidateHost && !isIpOrLocal ? `.${candidateHost}` : undefined;
-
   // Determine if request is secure: respect X-Forwarded-Proto when behind proxy
   const forwardedProto = (req.headers && req.headers['x-forwarded-proto']) || '';
   const reqIsSecure = Boolean(req.secure || forwardedProto.split(',')[0] === 'https');
@@ -361,17 +341,16 @@ const cookieOptionsFactory = (req) => {
   const sameSite = secure ? 'None' : 'Lax';
 
   // Safe parse of maxAge minutes
-  const minutes = Number.parseInt(process.env.ACCESS_EXPIRE_MINUTES, 10);
-  const maxAge = Number.isFinite(minutes) && minutes > 0 ? minutes * 60 * 1000 : undefined;
+  const maxAge = parseInt(process.env.ACCESS_EXPIRE_MINUTES) * 60 * 1000;
 
   const opts = {
     httpOnly: true,
     secure,
     sameSite,
     path: '/',
+    domain: process.env.NODE_ENV === 'production' ? host : 'localhost',
+    maxAge,
   };
-  if (typeof maxAge !== 'undefined') opts.maxAge = maxAge;
-  if (domain) opts.domain = domain;
 
   return opts;
 };
@@ -409,7 +388,7 @@ async function createSessionAndUserToken(user, User, req, res, options = { host:
   const jwtid = session._id.toString();
 
   // Secure cookie settings
-  res.cookie('refreshToken', refreshToken, cookieOptionsFactory(req));
+  res.cookie('refreshToken', refreshToken, cookieOptionsFactory(req, options.host));
 
   return { jwtid };
 }
@@ -512,6 +491,7 @@ async function refreshSessionAndToken(req, res, User, options = { host: '', path
 
   if (!user) {
     // Possible token reuse: look up user by some other signals? If not possible, log and throw.
+    // TODO: on cors requests, this will throw an error, because the cookie is not sent.
     logger.warn('Refresh token reuse or invalid token detected');
     // Optional: revoke by clearing cookie and returning unauthorized
     res.clearCookie('refreshToken', { path: '/' });
@@ -543,7 +523,7 @@ async function refreshSessionAndToken(req, res, User, options = { host: '', path
 
   logger.warn('Refreshed session for user ' + user.email);
 
-  res.cookie('refreshToken', refreshToken, cookieOptionsFactory(req));
+  res.cookie('refreshToken', refreshToken, cookieOptionsFactory(req, options.host));
 
   return jwtSign(
     UserDto.auth.payload(user, session._id.toString(), req.ip, req.headers['user-agent'], options.host, options.path),
@@ -663,6 +643,7 @@ function applySecurity(app, opts = {}) {
       maxAge: 600,
     }),
   );
+  logger.info('Cors origin', origin);
 
   // Rate limiting + slow down
   const limiter = rateLimit({