bas/solelog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api): drive CORS + trusted origins from CORS_ORIGINS env

Browse Source 
Phone/LAN testing previously required editing both app.ts (cors origin) and
auth.ts (better-auth trustedOrigins). Now both read env.WEB_ORIGINS, parsed from
a comma-separated CORS_ORIGINS env var (default http://localhost:5173). To test
from a phone, set CORS_ORIGINS to include the LAN origin and restart the API — no
code edit. Documented in .env.example. Also fixed the worker README (db:migrate
creates ./data/app.db, not ./.tmp; phone step now uses CORS_ORIGINS). API tests
36/36 green; typecheck clean.
This commit is contained in:
Bas van Rossem
2026-06-17 16:50:21 +02:00
parent bd8e8aff2a
commit 34c48d6353
5 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
apps/worker/README.md
View File

@@ -26,7 +26,7 @@ Two processes: the API on `:3000` and the worker SPA on `:5173`.
From the repo root:
```bash
yarn workspace @solelog/api db:migrate # apply migrations (creates ./.tmp DB on first run)
yarn workspace @solelog/api db:migrate # apply migrations (creates ./data/app.db on first run)
yarn workspace @solelog/api db:seed # idempotent: seeds the reference activities
yarn workspace @solelog/api start # Hono server on http://localhost:3000
```
@@ -58,10 +58,14 @@ connected to the same Wi-Fi:
```
(On Windows PowerShell: `$env:VITE_API_URL='http://<PC-LAN-IP>:3000'; yarn workspace @solelog/worker dev`.)
4. Add that origin (`http://<PC-LAN-IP>:5173`) to the API's CORS `origin` list
(`apps/api/src/app.ts`) **and** to better-auth `trustedOrigins` (`apps/api/src/auth.ts`), then
restart the API — otherwise the cross-origin sign-in is blocked and the SPA cannot read the
`set-auth-token` response header.
4. Allow that origin on the API by setting `CORS_ORIGINS` when you start it — **no code edit**:
```bash
CORS_ORIGINS=http://localhost:5173,http://<PC-LAN-IP>:5173 yarn workspace @solelog/api start
```
(PowerShell: `$env:CORS_ORIGINS='http://localhost:5173,http://<PC-LAN-IP>:5173'; yarn workspace @solelog/api start`.)
Otherwise the cross-origin sign-in is blocked and the SPA cannot read the `set-auth-token` header.
No firewall punch-through, VPN, or tunnel is involved — just the LAN.