From a955def84935477c66f72ce0f7891bd695fc40e8 Mon Sep 17 00:00:00 2001
From: Tom Butcher <thomasbutcher15@gmail.com>
Date: Fri, 6 Mar 2026 23:54:01 +0000
Subject: [PATCH] Enhanced CORS configuration in SocketManager and added
 allowed origins to server settings in config.json.

---
 config.json                 |  3 ++-
 src/socket/socketmanager.js | 15 ++++++++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/config.json b/config.json
index 4afb0c4..4411f61 100644
--- a/config.json
+++ b/config.json
@@ -2,7 +2,8 @@
   "development": {
     "server": {
       "port": 9090,
-      "logLevel": "trace"
+      "logLevel": "trace",
+      "corsOrigins": ["https://web.farmcontrol.app", "https://dev.tombutcher.work", "http://localhost:5173", "http://localhost:3000"]
     },
     "auth": {
       "enabled": true,
diff --git a/src/socket/socketmanager.js b/src/socket/socketmanager.js
index f83e1c5..32ddfdd 100644
--- a/src/socket/socketmanager.js
+++ b/src/socket/socketmanager.js
@@ -21,11 +21,20 @@ export class SocketManager {
     this.templateManager = new TemplateManager(this);
 
     // Use the provided HTTP server
-    // Create Socket.IO server
+    // Create Socket.IO server - CORS applies to HTTP long-polling transport
+    const allowedOrigins = config.server.corsOrigins || ['*'];
     const io = new Server(server, {
       cors: {
-        origin: config.server.corsOrigins || '*',
-        methods: ['GET', 'POST']
+        origin: (origin, callback) => {
+          // Allow requests with no origin (e.g. same-origin, Postman, native apps)
+          if (!origin) return callback(null, true);
+          if (allowedOrigins.includes('*')) return callback(null, true);
+          if (allowedOrigins.includes(origin)) return callback(null, origin);
+          callback(new Error('CORS not allowed'));
+        },
+        methods: ['GET', 'POST'],
+        credentials: true,
+        allowedHeaders: ['Content-Type', 'Authorization']
       }
     });