From a7afd4b959f6d99cda4c98b55a56899c2084e44c Mon Sep 17 00:00:00 2001
From: zerone0x <zerone0x@disroot.org>
Date: Wed, 8 Apr 2026 14:39:01 +0800
Subject: [PATCH] feat: wire allowedDevOrigins from CORS_ALLOWED_ORIGINS for
 non-localhost dev access (#355)

* feat: add allowedDevOrigins to Next.js config for non-localhost dev access

Wire CORS_ALLOWED_ORIGINS env var into Next.js allowedDevOrigins config
so that cross-origin HMR/webpack requests from Tailscale or other
non-localhost IPs are not blocked during development.

Fixes #317

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: keep port in allowedDevOrigins

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/web/next.config.ts | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/apps/web/next.config.ts b/apps/web/next.config.ts
index 023491f0..297d337a 100644
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -7,7 +7,24 @@ config({ path: resolve(__dirname, "../../.env") });
 
 const remoteApiUrl = process.env.REMOTE_API_URL || "http://localhost:8080";
 
+// Parse hostnames from CORS_ALLOWED_ORIGINS so that Next.js dev server
+// allows cross-origin HMR / webpack requests (e.g. from Tailscale IPs).
+const allowedDevOrigins = process.env.CORS_ALLOWED_ORIGINS
+  ? process.env.CORS_ALLOWED_ORIGINS.split(",")
+      .map((origin) => {
+        try {
+          return new URL(origin.trim()).host;
+        } catch {
+          return origin.trim();
+        }
+      })
+      .filter(Boolean)
+  : undefined;
+
 const nextConfig: NextConfig = {
+  ...(allowedDevOrigins && allowedDevOrigins.length > 0
+    ? { allowedDevOrigins }
+    : {}),
   images: {
     formats: ["image/avif", "image/webp"],
     qualities: [75, 80, 85],