From b0b49764b98c8bd4e15d57a4e4719ac1be9a6d46 Mon Sep 17 00:00:00 2001
From: DhanushSantosh <dhanushsantoshs05@gmail.com>
Date: Sun, 18 Jan 2026 01:50:41 +0530
Subject: [PATCH] fix: add localhost to CORS_ORIGIN for web mode development

The web mode launcher was setting CORS_ORIGIN to only include the system
hostname and 127.0.0.1, but users access via http://localhost:3007 which
wasn't in the allowed list.

Now includes:
- http://localhost:3007 (primary dev URL)
- http://$HOSTNAME:3007 (system hostname if needed)
- http://127.0.0.1:3007 (loopback IP)

Also cleaned up debug logging from CORS check since root cause is now clear.

Fixes: Persistent "Not allowed by CORS" errors in web mode

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 apps/server/src/index.ts | 8 +-------
 start-automaker.sh       | 2 +-
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/apps/server/src/index.ts b/apps/server/src/index.ts
index 06575282..70cf9318 100644
--- a/apps/server/src/index.ts
+++ b/apps/server/src/index.ts
@@ -164,12 +164,9 @@ app.use(
         return;
       }
 
-      console.log(`[CORS] Checking origin: ${origin}`);
-
       // If CORS_ORIGIN is set, use it (can be comma-separated list)
       const allowedOrigins = process.env.CORS_ORIGIN?.split(',').map((o) => o.trim());
       if (allowedOrigins && allowedOrigins.length > 0 && allowedOrigins[0] !== '*') {
-        console.log(`[CORS] CORS_ORIGIN env var is set: ${allowedOrigins.join(', ')}`);
         if (allowedOrigins.includes(origin)) {
           callback(null, origin);
         } else {
@@ -182,7 +179,6 @@ app.use(
       try {
         const url = new URL(origin);
         const hostname = url.hostname;
-        console.log(`[CORS] Parsed hostname: ${hostname}`);
 
         if (
           hostname === 'localhost' ||
@@ -193,16 +189,14 @@ app.use(
           hostname.startsWith('10.') ||
           hostname.startsWith('172.')
         ) {
-          console.log(`[CORS] ✓ Allowing origin: ${origin}`);
           callback(null, origin);
           return;
         }
       } catch (err) {
-        console.error(`[CORS] Error parsing URL: ${origin}`, err);
+        // Ignore URL parsing errors
       }
 
       // Reject other origins by default for security
-      console.log(`[CORS] ✗ Rejecting origin: ${origin}`);
       callback(new Error('Not allowed by CORS'));
     },
     credentials: true,
diff --git a/start-automaker.sh b/start-automaker.sh
index a2d3e54c..86be391c 100755
--- a/start-automaker.sh
+++ b/start-automaker.sh
@@ -1075,7 +1075,7 @@ case $MODE in
         export TEST_PORT="$WEB_PORT"
         export VITE_SERVER_URL="http://$HOSTNAME:$SERVER_PORT"
         export PORT="$SERVER_PORT"
-        export CORS_ORIGIN="http://$HOSTNAME:$WEB_PORT,http://127.0.0.1:$WEB_PORT"
+        export CORS_ORIGIN="http://localhost:$WEB_PORT,http://$HOSTNAME:$WEB_PORT,http://127.0.0.1:$WEB_PORT"
         export VITE_APP_MODE="1"
 
         if [ "$PRODUCTION_MODE" = true ]; then