mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(api): use getTrustedOrigins() for WebSocket CORS #549

Merged
jason.woltje merged 1 commits from fix/websocket-cors-origins into main 2026-02-27 12:07:52 +00:00
Conversation 0 Commits 1 Files Changed 1 +2 -1
jason.woltje commented 2026-02-27 12:05:06 +00:00
Owner
Copy Link

WebSocket gateway CORS was hardcoded to localhost:3000 via WEB_URL fallback. Production doesn't set WEB_URL, causing CORS rejections for mosaic.woltje.com. Now uses getTrustedOrigins() matching the main API CORS config.

WebSocket gateway CORS was hardcoded to localhost:3000 via WEB_URL fallback. Production doesn't set WEB_URL, causing CORS rejections for mosaic.woltje.com. Now uses getTrustedOrigins() matching the main API CORS config.
jason.woltje added 1 commit 2026-02-27 12:05:06 +00:00
fix(api): use getTrustedOrigins() for WebSocket CORS instead of WEB_URL
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details
ac2a92d371 
The WebSocket gateway was hardcoded to `process.env.WEB_URL ?? "http://localhost:3000"`
for CORS origin, while the main API uses getTrustedOrigins() which reads TRUSTED_ORIGINS.
In production, WEB_URL was not set, causing CORS to reject connections from
mosaic.woltje.com with "Access-Control-Allow-Origin: http://localhost:3000".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jason.woltje merged commit 78b643a945 into main 2026-02-27 12:07:52 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
ai
AI/LLM integration
 api
Backend/API work
 api
auth
Authentication
 database
database
Database/schema work
 devops
Docker/deployment
 docs
Documentation
 frontend
graph
knowledge-module
migration
Data migration
 orchestrator
Orchestrator service (apps/orchestrator/)
 p0
Critical priority
 p1
High priority
 p2
Medium priority
 p3
Low priority
 performance
Performance work
 phase-1
phase-2
phase-3
phase-4
phase-5
plugin
MoltBot plugin work
 search
security
Security-related
 setup
Initial setup
 testing
Testing/QA
 web
Frontend work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaic/stack#549
Delete Branch "fix/websocket-cors-origins"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?