debug: add CORS logging to diagnose origin rejection

Added detailed logging to see: - What origin is being sent - How the hostname is parsed - Why origins are being accepted/rejected This will help us understand why CORS is still failing in web mode. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-01-30 06:12:03 +00:00 · 2026-01-18 01:47:53 +05:30
parent b8875f71a5
commit e10cb83adc
1 changed files with 24 additions and 13 deletions
--- a/apps/server/src/index.ts
+++ b/apps/server/src/index.ts
@@ -164,9 +164,12 @@ app.use(
        return;
      }

+      console.log(`[CORS] Checking origin: ${origin}`);
+
      // If CORS_ORIGIN is set, use it (can be comma-separated list)
      const allowedOrigins = process.env.CORS_ORIGIN?.split(',').map((o) => o.trim());
      if (allowedOrigins && allowedOrigins.length > 0 && allowedOrigins[0] !== '*') {
+        console.log(`[CORS] CORS_ORIGIN env var is set: ${allowedOrigins.join(', ')}`);
        if (allowedOrigins.includes(origin)) {
          callback(null, origin);
        } else {
@@ -176,22 +179,30 @@ app.use(
      }

      // For local development, allow all localhost/loopback origins (any port)
-      const url = new URL(origin);
-      const hostname = url.hostname;
-      if (
-        hostname === 'localhost' ||
-        hostname === '127.0.0.1' ||
-        hostname === '::1' ||
-        hostname === '0.0.0.0' ||
-        hostname.startsWith('192.168.') ||
-        hostname.startsWith('10.') ||
-        hostname.startsWith('172.')
-      ) {
-        callback(null, origin);
-        return;
+      try {
+        const url = new URL(origin);
+        const hostname = url.hostname;
+        console.log(`[CORS] Parsed hostname: ${hostname}`);
+
+        if (
+          hostname === 'localhost' ||
+          hostname === '127.0.0.1' ||
+          hostname === '::1' ||
+          hostname === '0.0.0.0' ||
+          hostname.startsWith('192.168.') ||
+          hostname.startsWith('10.') ||
+          hostname.startsWith('172.')
+        ) {
+          console.log(`[CORS] ✓ Allowing origin: ${origin}`);
+          callback(null, origin);
+          return;
+        }
+      } catch (err) {
+        console.error(`[CORS] Error parsing URL: ${origin}`, err);
      }

      // Reject other origins by default for security
+      console.log(`[CORS] ✗ Rejecting origin: ${origin}`);
      callback(new Error('Not allowed by CORS'));
    },
    credentials: true,