Skip to content

Commit 2dd0cf8

Browse files
committed
docs: use CORS_ORIGIN, the env var the server actually reads
The root .env.example, API.md, and README.md told users to set ALLOWED_ORIGIN, but the server's entry point (index.js -> config/env.js) reads only CORS_ORIGIN and throws "CORS_ORIGIN must be set in production" on boot when it is unset. ALLOWED_ORIGIN is read only by the unreferenced legacy app.js. So following the docs left CORS_ORIGIN unset and crashed production on startup. Align the root docs on CORS_ORIGIN (matching config/env.js and the server's own server/.env.example and server/README.md), and fix the API.md env table, which had the two names inverted.
1 parent 824093a commit 2dd0cf8

3 files changed

Lines changed: 5 additions & 6 deletions

File tree

.env.example

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ VITE_APPCHECK_RECAPTCHA_KEY=
2020
# Backend CORS Configuration
2121
# Set this to your deployed frontend URL in production (e.g. https://yourapp.com)
2222
# Defaults to http://localhost:5173 for local development if not set
23-
ALLOWED_ORIGIN=http://localhost:5173
23+
CORS_ORIGIN=http://localhost:5173
2424

2525
# Backend URL (read by the client)
2626
# Base URL of the backend; the client derives the WebSocket URL by swapping

API.md

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ VITE_BACKEND_URL=http://localhost:3001
5050

5151
```
5252
PORT=3001
53-
ALLOWED_ORIGIN=http://localhost:5173
53+
CORS_ORIGIN=http://localhost:5173
5454
SOCKET_AUTH_TOKEN=your-secret-token
5555
HEALTH_SECRET_TOKEN=your-health-token
5656
MAX_FRAMES_PER_SEC=60
@@ -449,8 +449,7 @@ Full reference for all environment variables consumed by the backend.
449449
| Variable | Default | Required | Description |
450450
| ------------------------ | ------- | ---------------- | --------------------------------------------------------------- |
451451
| `PORT` | `3001` | No | Port the HTTP server listens on |
452-
| `ALLOWED_ORIGIN` || Yes (production) | CORS allowed origin — set to your frontend URL |
453-
| `CORS_ORIGIN` || No | Alias for `ALLOWED_ORIGIN` (legacy) |
452+
| `CORS_ORIGIN` || Yes (production) | CORS allowed origin; set to your frontend URL (the server throws on boot if unset in production) |
454453
| `SOCKET_AUTH_TOKEN` | `null` | Server-only | Shared secret for machine-to-machine/proxy auth via `socket.handshake.auth.token`. **Do not** expose in client bundles — use Firebase Auth tokens for browser clients instead |
455454
| `HEALTH_SECRET_TOKEN` || No | Bearer token that grants full metrics on `GET /health` |
456455
| `MAX_FRAMES_PER_SEC` | `60` | No | Per-socket frame rate ceiling |

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -417,7 +417,7 @@ VITE_BACKEND_URL=http://localhost:3001
417417

418418
```env
419419
PORT=3001
420-
ALLOWED_ORIGIN=http://localhost:5173
420+
CORS_ORIGIN=http://localhost:5173
421421
```
422422

423423
> ⚠️ **Never commit `.env` files to version control.** The `.env.example` file is provided as a template.
@@ -543,7 +543,7 @@ npx vercel
543543

544544
### Backend
545545

546-
The backend is a standalone Express + Socket.io server. Deploy to any Node.js-compatible platform (Railway, Render, Fly.io, etc.) and set the `ALLOWED_ORIGIN` env var to your frontend URL.
546+
The backend is a standalone Express + Socket.io server. Deploy to any Node.js-compatible platform (Railway, Render, Fly.io, etc.) and set the `CORS_ORIGIN` env var to your frontend URL.
547547

548548
---
549549

0 commit comments

Comments
 (0)