feat: backend rebuild

backend/.backup/fix-bearer-index.patch.diff

@@ -0,0 +1,64 @@
+diff --git a/src/index.js b/src/index.js
+--- a/src/index.js
++++ b/src/index.js
+@@ -1,9 +1,8 @@
+ import fs from "node:fs";
+ import path from "node:path";
+ import express from "express";
+-import cookieParser from "cookie-parser";
+ import cors from "cors";
+ 
+ import sql from "./db/index.js";
+ import healthRouter from "./routes/health.js";
+ import { authJwt } from "./middleware/authJwt.js";
+@@ -64,7 +63,7 @@
+ // ✅ อยู่หลัง NPM/Reverse proxy → ให้ trust proxy เพื่อให้ cookie secure / proto ทำงานถูก
+ app.set("trust proxy", 1);
+ 
+-// CORS แบบกำหนด origin ตามรายการที่อนุญาต + อนุญาต credentials (จำเป็นสำหรับ cookie)
++// ✅ CORS สำหรับ Bearer token: ไม่ต้องใช้ credentials (ไม่มีคุกกี้)
+ app.use(
+   cors({
+     origin(origin, cb) {
+       if (!origin) return cb(null, true); // server-to-server / curl
+       return cb(null, ALLOW_ORIGINS.includes(origin));
+     },
+-    credentials: true,
++    credentials: false,
+     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+-    allowedHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
++    allowedHeaders: [
++      "Content-Type",
++      "Authorization",
++      "X-Requested-With",
++      "Accept",
++      "Origin",
++      "Referer",
++      "User-Agent",
++      "Cache-Control",
++      "Pragma"
++    ],
+     exposedHeaders: ["Content-Disposition", "Content-Length"],
+   })
+ );
+ // preflight
+ app.options(
+   "*",
+   cors({
+     origin(origin, cb) {
+       if (!origin) return cb(null, true);
+       return cb(null, ALLOW_ORIGINS.includes(origin));
+     },
+-    credentials: true,
++    credentials: false,
+   })
+ );
+ 
+-app.use(cookieParser());
++// ❌ ไม่ต้อง parse cookie แล้ว (เราไม่ใช้คุกกี้สำหรับ auth)
++// app.use(cookieParser());
+ 
+ // Payload limits
+ app.use(express.json({ limit: "10mb" }));
+ app.use(express.urlencoded({ extended: true, limit: "10mb" }));
+