The alternate CORS origin is derived by calling String::replace on the raw API_ENDPOINT_SERVER value. This is not URI-aware and replaces all occurrences of the substring. A hostname such as http://localhost-staging.fsek.se:1443 would produce http://127.0.0.1-staging.fsek.se:1443 as the alternate allowed origin.
File: rustsystem-trustauth/src/lib.rs:196-200
let alt = if API_ENDPOINT_SERVER.contains("127.0.0.1") {
API_ENDPOINT_SERVER.replace("127.0.0.1", "localhost")
} else {
API_ENDPOINT_SERVER.replace("localhost", "127.0.0.1")
};Fix: Parse API_ENDPOINT_SERVER as a URI and manipulate only the host component.
The alternate CORS origin is derived by calling
String::replaceon the rawAPI_ENDPOINT_SERVERvalue. This is not URI-aware and replaces all occurrences of the substring. A hostname such ashttp://localhost-staging.fsek.se:1443would producehttp://127.0.0.1-staging.fsek.se:1443as the alternate allowed origin.File:
rustsystem-trustauth/src/lib.rs:196-200Fix: Parse
API_ENDPOINT_SERVERas a URI and manipulate only the host component.