⚙️ feat: Support multiple CORS origins via comma-separated UI_BASE_URL#27
Merged
AdaInTheLab merged 2 commits intomainfrom Apr 16, 2026
Merged
⚙️ feat: Support multiple CORS origins via comma-separated UI_BASE_URL#27AdaInTheLab merged 2 commits intomainfrom
AdaInTheLab merged 2 commits intomainfrom
Conversation
Previously CORS allowed UI_BASE_URL plus two hardcoded ironkitsune.tech origins. This meant adding a new domain required a code change and deploy. Now UI_BASE_URL can be a comma-separated list and drives both the CORS allowlist and the primary redirect URL. Changes: - env.ts: parse UI_BASE_URL as a list (trim, drop trailing slash) - env.ts: export UI_ALLOWED_ORIGINS (all entries) and keep UI_BASE_URL as the first entry (used for OAuth redirects) - app.ts: remove hardcoded ironkitsune.tech entries, use env list Prod .env needs updating to: UI_BASE_URL=https://thehumanpatternlab.com,https://ironkitsune.tech,https://www.ironkitsune.tech Co-authored-by: Sage <sage@thehumanpatternlab.com>
😼 Carmel Judgment Stamp™🟪 Carmel Judgment Stamp™
This automated judgment has been issued by the Chief Judgment Office (CJO). |
The previous commit changed UI_BASE_URL to accept a comma-separated list, but adminRoutes was still reading process.env.UI_BASE_URL raw. With the new format that would produce a broken OAuth redirect like: https://thehumanpatternlab.com,https://ironkitsune.tech/admin/dashboard Switch adminRoutes to use env.UI_BASE_URL (the parsed first entry), so redirects go to the primary UI origin only. Also: - Remove dead uiOrigin variable in app.ts (no longer referenced) - Fix .env.example: UI_BASE_URL default was pointing at the API port (8001), now points at Vite's default (5173) with documentation showing the comma-separated syntax Co-authored-by: Sage <sage@thehumanpatternlab.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Let
UI_BASE_URLaccept a comma-separated list of origins. All entries are added to the CORS allowlist; the first entry stays the "primary" origin used for OAuth redirects. Removes the hardcodedironkitsune.techentries fromapp.tsso adding new domains is a config-only change.Changes
src/env.tsparseOriginList()helper — splits on comma, trims, drops trailing slashUI_BASE_URLnow resolves to the first entry in the list (preserves OAuth redirect behavior)UI_ALLOWED_ORIGINS: string[]exposes the full parsed listsrc/app.tsironkitsune.tech+www.ironkitsune.techentriesenv.UI_ALLOWED_ORIGINS, falling back tohttp://localhost:5173in devDeployment note
Prod
.envmust be updated on merge:Testing
npx tsc --noEmit— cleannpm test— 41/41 passingBreaking Changes
None — single-value
UI_BASE_URLstill works unchanged. Only behavior change: the hardcoded ironkitsune origins must now be listed in env.Co-authored-by: Sage sage@thehumanpatternlab.com