From b8875f71a50085ee253166bf60104248033bbb09 Mon Sep 17 00:00:00 2001
From: DhanushSantosh <dhanushsantoshs05@gmail.com>
Date: Sun, 18 Jan 2026 01:45:10 +0530
Subject: [PATCH] fix: improve CORS configuration to handle localhost and
 private IPs

The CORS check was too strict for local development. Changed to:
- Parse origin URL properly to extract hostname
- Allow all localhost origins (any port)
- Allow all 127.0.0.1 origins (loopback IP)
- Allow all private network IPs (192.168.x.x, 10.x.x.x, 172.x.x.x)
- Keep security by rejecting unknown origins

This fixes CORS errors when accessing from http://localhost:3007
or other local addresses during web mode development.

Fixes: "Not allowed by CORS" errors in web mode

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 apps/server/src/index.ts | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/apps/server/src/index.ts b/apps/server/src/index.ts
index d90c7a36..4219dc9e 100644
--- a/apps/server/src/index.ts
+++ b/apps/server/src/index.ts
@@ -175,11 +175,17 @@ app.use(
         return;
       }
 
-      // For local development, allow localhost origins
+      // For local development, allow all localhost/loopback origins (any port)
+      const url = new URL(origin);
+      const hostname = url.hostname;
       if (
-        origin.startsWith('http://localhost:') ||
-        origin.startsWith('http://127.0.0.1:') ||
-        origin.startsWith('http://[::1]:')
+        hostname === 'localhost' ||
+        hostname === '127.0.0.1' ||
+        hostname === '::1' ||
+        hostname === '0.0.0.0' ||
+        hostname.startsWith('192.168.') ||
+        hostname.startsWith('10.') ||
+        hostname.startsWith('172.')
       ) {
         callback(null, origin);
         return;