From ac2a92d37123dcdb6a4dabc072bbf05e5fd3950a Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Fri, 27 Feb 2026 06:04:40 -0600
Subject: [PATCH] fix(api): use getTrustedOrigins() for WebSocket CORS instead
 of WEB_URL

The WebSocket gateway was hardcoded to `process.env.WEB_URL ?? "http://localhost:3000"`
for CORS origin, while the main API uses getTrustedOrigins() which reads TRUSTED_ORIGINS.
In production, WEB_URL was not set, causing CORS to reject connections from
mosaic.woltje.com with "Access-Control-Allow-Origin: http://localhost:3000".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/api/src/websocket/websocket.gateway.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/websocket/websocket.gateway.ts b/apps/api/src/websocket/websocket.gateway.ts
index 1439c95..f5b385c 100644
--- a/apps/api/src/websocket/websocket.gateway.ts
+++ b/apps/api/src/websocket/websocket.gateway.ts
@@ -7,6 +7,7 @@ import {
 import { Logger } from "@nestjs/common";
 import { Server, Socket } from "socket.io";
 import { AuthService } from "../auth/auth.service";
+import { getTrustedOrigins } from "../auth/auth.config";
 import { PrismaService } from "../prisma/prisma.service";
 
 interface AuthenticatedSocket extends Socket {
@@ -77,7 +78,7 @@ interface StepOutputData {
  */
 @WSGateway({
   cors: {
-    origin: process.env.WEB_URL ?? "http://localhost:3000",
+    origin: getTrustedOrigins(),
     credentials: true,
   },
 })