Skip to content

fix(server): respect custom dev ports in origin allowlist and admin p…#200

Open
dremchee wants to merge 2 commits into
CoreBunch:mainfrom
dremchee:fix/dev-origin-allowlist-vite-port
Open

fix(server): respect custom dev ports in origin allowlist and admin p…#200
dremchee wants to merge 2 commits into
CoreBunch:mainfrom
dremchee:fix/dev-origin-allowlist-vite-port

Conversation

@dremchee

@dremchee dremchee commented Jul 8, 2026

Copy link
Copy Markdown

A custom VITE_PORT broke every state-changing request in dev: the CSRF origin check only allowlisted the default Vite ports 5173/5174, so the browser's Origin on any other port got 403 'Forbidden: invalid origin' — including the first-run setup POST, making the install wizard unusable.

  • Derive DEV_ORIGIN_ALLOWLIST from the environment via a pure buildDevOriginAllowlist(env): default ports plus VITE_PORT, each as localhost and 127.0.0.1, plus the existing VITE_ALLOWED_ORIGIN escape hatch for non-localhost dev hosts.
  • Extract DEFAULT_CMS_PORT / DEFAULT_VITE_PORT into server/config.ts as the single source of truth; consume them in the router, security, healthcheck, vite.config.ts, and the dev/start scripts instead of scattered '3001' / '5173' literals.
  • Point the 'Admin UI not served on this port' placeholder page at the configured PORT / VITE_PORT instead of hardcoded 3001 / 5173.
  • Document VITE_PORT and VITE_ALLOWED_ORIGIN in .env.example and update the auth-and-access doc, which had drifted from the code.

Summary

Describe the change and why it is needed.

Verification

  • bun run build
  • bun test
  • bun run lint
  • Docker/deployment check, if relevant

Checklist

  • Tests cover behavior changes.
  • Docs were updated when behavior, config, deployment, or public surfaces changed.
  • No compatibility shim was added for old pre-release behavior.
  • No secrets, local databases, uploads, or generated artifacts are included.

dremchee and others added 2 commits July 8, 2026 10:33
…laceholder

A custom VITE_PORT broke every state-changing request in dev: the CSRF
origin check only allowlisted the default Vite ports 5173/5174, so the
browser's Origin on any other port got 403 'Forbidden: invalid origin' —
including the first-run setup POST, making the install wizard unusable.

- Derive DEV_ORIGIN_ALLOWLIST from the environment via a pure
  buildDevOriginAllowlist(env): default ports plus VITE_PORT, each as
  localhost and 127.0.0.1, plus the existing VITE_ALLOWED_ORIGIN escape
  hatch for non-localhost dev hosts.
- Extract DEFAULT_CMS_PORT / DEFAULT_VITE_PORT into server/config.ts as
  the single source of truth; consume them in the router, security,
  healthcheck, vite.config.ts, and the dev/start scripts instead of
  scattered '3001' / '5173' literals.
- Point the 'Admin UI not served on this port' placeholder page at the
  configured PORT / VITE_PORT instead of hardcoded 3001 / 5173.
- Document VITE_PORT and VITE_ALLOWED_ORIGIN in .env.example and update
  the auth-and-access doc, which had drifted from the code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants