From 986c3acea10f1cfd457d543fb309ff8b3724ad28 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Thu, 14 May 2026 15:37:04 +0200 Subject: [PATCH] fix(portal-bff): add portal-admin :4300 to CORS_ALLOWED_ORIGINS in .env.example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Caught while reviewing the previous port-correction commit on this branch. The CORS section still pointed to "Add :4201 once portal-admin grows its own dev server" โ€” but portal-admin has its dev server (on :4300, not :4201), and the SPA will hit the BFF with credentials as soon as the admin auth flow lands. Without the origin in the allowlist the browser blocks the call and the developer chases a CORS error instead of getting to work. Updates the example to list both dev origins and points at `apps//project.json` `serve.options.port` as the source of truth so future readers don't have to grep for it. Local `.env` is on the developer to update โ€” this only touches `.env.example`. Behaviour change is opt-in. --- apps/portal-bff/.env.example | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/portal-bff/.env.example b/apps/portal-bff/.env.example index 4ee0412..aa67ea3 100644 --- a/apps/portal-bff/.env.example +++ b/apps/portal-bff/.env.example @@ -133,9 +133,10 @@ LOG_USER_ID_SALT=replace_with_32_random_bytes_base64url # defaulting to localhost is the classic "works in dev, breaks in # prod" trap. # -# Local dev: the portal-shell dev server on :4200. Add :4201 once -# portal-admin grows its own dev server. -CORS_ALLOWED_ORIGINS=http://localhost:4200 +# Local dev: portal-shell on :4200 and portal-admin on :4300 โ€” both +# call the BFF with credentials. Source of truth for the ports: +# `apps//project.json` `serve.options.port`. +CORS_ALLOWED_ORIGINS=http://localhost:4200,http://localhost:4300 # Rate limiting (per ADR-0015 ยง"DoS mitigation"). Both optional # with conservative defaults; override per environment when traffic