fix(portal-bff): add portal-admin :4300 to CORS_ALLOWED_ORIGINS in .env.example
Caught while reviewing the previous port-correction commit on this branch. The CORS section still pointed to "Add :4201 once portal-admin grows its own dev server" — but portal-admin has its dev server (on :4300, not :4201), and the SPA will hit the BFF with credentials as soon as the admin auth flow lands. Without the origin in the allowlist the browser blocks the call and the developer chases a CORS error instead of getting to work. Updates the example to list both dev origins and points at `apps/<app>/project.json` `serve.options.port` as the source of truth so future readers don't have to grep for it. Local `.env` is on the developer to update — this only touches `.env.example`. Behaviour change is opt-in.
This commit is contained in:
@@ -133,9 +133,10 @@ LOG_USER_ID_SALT=replace_with_32_random_bytes_base64url
|
|||||||
# defaulting to localhost is the classic "works in dev, breaks in
|
# defaulting to localhost is the classic "works in dev, breaks in
|
||||||
# prod" trap.
|
# prod" trap.
|
||||||
#
|
#
|
||||||
# Local dev: the portal-shell dev server on :4200. Add :4201 once
|
# Local dev: portal-shell on :4200 and portal-admin on :4300 — both
|
||||||
# portal-admin grows its own dev server.
|
# call the BFF with credentials. Source of truth for the ports:
|
||||||
CORS_ALLOWED_ORIGINS=http://localhost:4200
|
# `apps/<app>/project.json` `serve.options.port`.
|
||||||
|
CORS_ALLOWED_ORIGINS=http://localhost:4200,http://localhost:4300
|
||||||
|
|
||||||
# Rate limiting (per ADR-0015 §"DoS mitigation"). Both optional
|
# Rate limiting (per ADR-0015 §"DoS mitigation"). Both optional
|
||||||
# with conservative defaults; override per environment when traffic
|
# with conservative defaults; override per environment when traffic
|
||||||
|
|||||||
Reference in New Issue
Block a user