Update server.js

server.js

@@ -14,7 +14,7 @@ app.set('trust proxy', 1);
 // Limit each IP to 100 requests per 15 minutes
 const limiter = rateLimit({
     windowMs: 15 * 60 * 1000, 
-    max: 150, // number of max requests 
+    max: 100, 
     standardHeaders: true,
     legacyHeaders: false,
     message: { error: "Too many requests, please try again later." }
@@ -26,7 +26,7 @@ const allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS
 
 app.use(cors({
     origin: function (origin, callback) {
-        // Allow requests with no origin (like mobile apps/curl) or if list is empty
+        // Open Mode: If list is empty or origin is null (tools/mobile), allow it.
         if (!origin || allowedOrigins.length === 0) return callback(null, true);
         
         if (allowedOrigins.indexOf(origin) !== -1) {
@@ -42,6 +42,7 @@ app.use(express.json());
 // --- 4. MULTI-INSTANCE CONFIGURATION ---
 let INSTANCES = [];
 try {
+    // Example Secret: [{"url":"https://my-flowise.com","key":"tr-123"}, {"url":"https://open-flowise.com","key":""}]
     INSTANCES = JSON.parse(process.env.FLOWISE_INSTANCES || '[]');
 } catch (e) {
     console.error("CRITICAL ERROR: Could not parse FLOWISE_INSTANCES JSON", e);
@@ -62,9 +63,14 @@ async function refreshFlowDirectory() {
     // Run all fetches in parallel
     const promises = INSTANCES.map(async (inst) => {
         try {
-            const res = await fetch(`${inst.url}/api/v1/chatflows`, {
-                headers: { 'Authorization': `Bearer ${inst.key}` }
-            });
+            // Smart Auth: Only add header if key exists
+            const headers = {};
+            if (inst.key && inst.key.length > 0) {
+                headers['Authorization'] = `Bearer ${inst.key}`;
+            }
+
+            const res = await fetch(`${inst.url}/api/v1/chatflows`, { headers });
+            
             if(!res.ok) throw new Error(`Status ${res.status}`);
             const flows = await res.json();
             
@@ -107,14 +113,21 @@ app.post('/api/v1/prediction/:botName', async (req, res) => {
     const finalTarget = flowDirectory[botName];
 
     try {
+        // Construct Headers for forwarding
+        const forwardHeaders = {
+            'Content-Type': 'application/json',
+            'HTTP-Referer': req.headers.origin || 'https://huggingface.co', 
+            'X-Title': 'FederatedProxy'
+        };
+
+        // Smart Auth: Only add Bearer if key exists
+        if (finalTarget.key && finalTarget.key.length > 0) {
+            forwardHeaders['Authorization'] = `Bearer ${finalTarget.key}`;
+        }
+
         const flowiseResponse = await fetch(`${finalTarget.host}/api/v1/prediction/${finalTarget.id}`, {
             method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'Authorization': `Bearer ${finalTarget.key}`,
-                'HTTP-Referer': req.headers.origin || 'https://huggingface.co', 
-                'X-Title': 'FederatedProxy'
-            },
+            headers: forwardHeaders,
             body: JSON.stringify(req.body)
         });