mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(api): use getTrustedOrigins() for WebSocket CORS instead of WEB_URL
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
The WebSocket gateway was hardcoded to `process.env.WEB_URL ?? "http://localhost:3000"`
for CORS origin, while the main API uses getTrustedOrigins() which reads TRUSTED_ORIGINS.
In production, WEB_URL was not set, causing CORS to reject connections from
mosaic.woltje.com with "Access-Control-Allow-Origin: http://localhost:3000".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-27 06:04:40 -06:00
parent f93503ebcf
commit ac2a92d371
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/api/src/websocket/websocket.gateway.ts
View File

@@ -7,6 +7,7 @@ import {
import { Logger } from "@nestjs/common";
import { Server, Socket } from "socket.io";
import { AuthService } from "../auth/auth.service";
import { getTrustedOrigins } from "../auth/auth.config";
import { PrismaService } from "../prisma/prisma.service";
interface AuthenticatedSocket extends Socket {
@@ -77,7 +78,7 @@ interface StepOutputData {
*/
@WSGateway({
cors: {
origin: process.env.WEB_URL ?? "http://localhost:3000",
origin: getTrustedOrigins(),
credentials: true,
},
})