From c7da278f1bc560355f05de04fffbc8c60f1f421c Mon Sep 17 00:00:00 2001
From: Socorro DominguezVidana <seiryu88@icloud.com>
Date: Wed, 13 May 2026 12:14:28 -0700
Subject: [PATCH 1/2] OI-24 finished session expirerd handler

---
 app.js       | 31 +++++++++++++------------------
 package.json |  2 +-
 2 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/app.js b/app.js
index 27c3492..01c4389 100755
--- a/app.js
+++ b/app.js
@@ -38,28 +38,19 @@ const limiter = rateLimiter({
 app.engine('html', require('ejs').renderFile);
 
 const {optionalAuth} = require('./v2.0/helpers/validation/sessionauth');
+const allowedOrigins = env === 'production'
+  ? ['https://data.neotomadb.org']
+  : ['http://localhost:5173', 'http://127.0.0.1:5173'];
+
 const corsOptions = {
   origin: function(origin, callback) {
-    // Allow requests with no Origin header (server-to-server, R package, curl, etc.)
-    if (!origin) return callback(null, true);
-
-    const allowed = [
-      'http://localhost:5173',
-      'http://127.0.0.1:5173',
-      'https://data.neotomadb.org',
-      // add other frontends as needed
-    ];
-
-    if (allowed.includes(origin)) {
-      return callback(null, true);
-    }
-    // For now, log and allow — Neotoma data is public.
-    // Tighten this later if you ever return user-specific data based on Origin.
-    console.warn('CORS: unrecognized origin allowed:', origin);
-    return callback(null, true);
+    if (!origin) return callback(null, true); // server-to-server, curl, R package
+    if (allowedOrigins.includes(origin)) return callback(null, true);
+    return callback(new Error(`CORS: origin ${origin} not allowed`));
   },
   credentials: true,
   allowedHeaders: ['Content-Type', 'Authorization'],
+  maxAge: 600,
 };
 
 app.use(cors(corsOptions));
@@ -105,11 +96,15 @@ app.use(morgan(':date[iso]\t:remote-addr\t:method\t:url\t:status\t:res[content-l
 }));
 
 const options = {
-  swaggerUrl: `http://localhost:${apiPort}/api-docs`,
+  // swaggerUrl: `http://localhost:${apiPort}/api-docs`,
   customCssUrl: '/custom.css',
 };
 
 const swaggerDocument = YAML.load('./openapi.yaml');
+// Serve the raw spec at /swagger.json so Swagger UI can find it
+// (it falls back to this URL when the inline embed doesn't catch).
+app.get('/swagger.json', (req, res) => res.json(swaggerDocument));
+
 app.use('/api-docs',
     swaggerUi.serve,
     swaggerUi.setup(swaggerDocument, options));
diff --git a/package.json b/package.json
index 536dea2..4d7f306 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
     "build:openapi": "(cd ./openapi && node ./scripts/build-openapi.js)",
     "validate:openapi": "yarn build:openapi && bash genoatt.sh && sleep 4 && bash runmochabatch.sh"
   },
-  "pre-commit": "validate:openapi",
+  "pre-commit": "build:openapi",
   "dependencies": {
     "@terraformer/wkt": "^2.2.1",
     "acorn": "^8.15.0",

From a4f9a721eeb8378721e07ad7a86517812507cf7f Mon Sep 17 00:00:00 2001
From: Socorro DominguezVidana <seiryu88@icloud.com>
Date: Wed, 13 May 2026 12:16:02 -0700
Subject: [PATCH 2/2] OI-24 finished session expirerd handler

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 4d7f306..536dea2 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
     "build:openapi": "(cd ./openapi && node ./scripts/build-openapi.js)",
     "validate:openapi": "yarn build:openapi && bash genoatt.sh && sleep 4 && bash runmochabatch.sh"
   },
-  "pre-commit": "build:openapi",
+  "pre-commit": "validate:openapi",
   "dependencies": {
     "@terraformer/wkt": "^2.2.1",
     "acorn": "^8.15.0",