fix: add CORS env vars to Swarm/Portainer compose and log trusted origins

The Swarm deployment uses docker-compose.swarm.portainer.yml, not the root docker-compose.yml. Add NEXT_PUBLIC_APP_URL, NEXT_PUBLIC_API_URL, and TRUSTED_ORIGINS to the API service environment. Also log trusted origins at startup for easier CORS debugging. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 22:31:29 -06:00
parent 7c7ad59002
commit abe57621cd
2 changed files with 7 additions and 1 deletions
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -49,8 +49,10 @@ async function bootstrap() {

  // Configure CORS for cookie-based authentication
  // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
+  const trustedOrigins = getTrustedOrigins();
+  console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
  app.enableCors({
-    origin: getTrustedOrigins(),
+    origin: trustedOrigins,
    credentials: true, // Required for cookie-based authentication
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
    allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -138,6 +138,10 @@ services:
      MOSAIC_TELEMETRY_API_KEY: ${MOSAIC_TELEMETRY_API_KEY:-}
      MOSAIC_TELEMETRY_INSTANCE_ID: ${MOSAIC_TELEMETRY_INSTANCE_ID:-}
      MOSAIC_TELEMETRY_DRY_RUN: ${MOSAIC_TELEMETRY_DRY_RUN:-false}
+      # Frontend URLs (for CORS and auth redirects)
+      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
+      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
+      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
    healthcheck:
      test:
        [