Enhanced CORS configuration in SocketManager and added allowed origins to server settings in config.json.

2026-03-06 23:54:01 +00:00 · 2026-03-06 23:54:01 +00:00 · a955def849
commit a955def849
parent ddf230a20a
2 changed files with 14 additions and 4 deletions
--- a/config.json
+++ b/config.json
@ -2,7 +2,8 @@
  "development": {
    "server": {
      "port": 9090,
-      "logLevel": "trace"
+      "logLevel": "trace",
+      "corsOrigins": ["https://web.farmcontrol.app", "https://dev.tombutcher.work", "http://localhost:5173", "http://localhost:3000"]
    },
    "auth": {
      "enabled": true,
--- a/src/socket/socketmanager.js
+++ b/src/socket/socketmanager.js
@ -21,11 +21,20 @@ export class SocketManager {
    this.templateManager = new TemplateManager(this);

    // Use the provided HTTP server
-    // Create Socket.IO server
+    // Create Socket.IO server - CORS applies to HTTP long-polling transport
+    const allowedOrigins = config.server.corsOrigins || ['*'];
    const io = new Server(server, {
      cors: {
-        origin: config.server.corsOrigins || '*',
-        methods: ['GET', 'POST']
+        origin: (origin, callback) => {
+          // Allow requests with no origin (e.g. same-origin, Postman, native apps)
+          if (!origin) return callback(null, true);
+          if (allowedOrigins.includes('*')) return callback(null, true);
+          if (allowedOrigins.includes(origin)) return callback(null, origin);
+          callback(new Error('CORS not allowed'));
+        },
+        methods: ['GET', 'POST'],
+        credentials: true,
+        allowedHeaders: ['Content-Type', 'Authorization']
      }
    });