Skip to content

docs: use CORS_ORIGIN, the env var the server actually reads#978

Open
Anexus5919 wants to merge 1 commit into
Somil450:mainfrom
Anexus5919:fix/docs-cors-origin-env-name
Open

docs: use CORS_ORIGIN, the env var the server actually reads#978
Anexus5919 wants to merge 1 commit into
Somil450:mainfrom
Anexus5919:fix/docs-cors-origin-env-name

Conversation

@Anexus5919

Copy link
Copy Markdown
Contributor

📌 Related Issue

Fixes #917


📝 Description

The root docs told users to set ALLOWED_ORIGIN, but the backend reads CORS_ORIGIN and throws CORS_ORIGIN must be set in production on boot when it is unset. ALLOWED_ORIGIN is read only by the unreferenced legacy server/src/app.js (the start script is node src/index.js -> config/env.js). So following the docs left CORS_ORIGIN unset and crashed production on startup.

🔹 What has been changed?

  • .env.example (root): ALLOWED_ORIGIN -> CORS_ORIGIN.
  • API.md: the backend .env example uses CORS_ORIGIN, and the environment-variable table is corrected (it had the two names inverted, describing CORS_ORIGIN as a legacy alias of ALLOWED_ORIGIN). The table now lists CORS_ORIGIN as required in production and notes the boot-time throw.
  • README.md: the backend .env block and the deployment paragraph use CORS_ORIGIN.

🔹 Why are these changes needed?

  • The documented variable must be the one the server actually reads. Aligning the root docs on CORS_ORIGIN matches server/src/config/env.js and the server's own server/.env.example / server/README.md, so following the docs brings up a working production server instead of crashing on boot.

🛠️ Type of Change

  • 📖 Documentation Update

🧪 Testing

✅ Tests Performed

  • Tested locally
  • Grepped the three root docs: no ALLOWED_ORIGIN remains; CORS_ORIGIN is present in each.
  • Cross-checked against server/src/config/env.js (reads process.env.CORS_ORIGIN, throws if unset in production) and the server's own docs (server/.env.example, server/README.md), which already use CORS_ORIGIN.

🌐 Browsers Tested

Not applicable (documentation-only change; no code or server behavior changes).


📷 Screenshots / Demo (if applicable)

Not applicable.


📋 Checklist

  • I have read the project's CONTRIBUTING guidelines
  • My code follows the project style guidelines
  • I have performed a self-review of my code
  • I have tested my changes locally
  • I have added/updated documentation where necessary
  • My changes do not introduce new warnings or errors
  • This PR is linked to an existing issue

💬 Additional Notes

Branched from latest upstream/main (5464425). Documentation-only; no server behavior changes. An alternative would be to make env.js also accept ALLOWED_ORIGIN, but the running server has never read it (only the dead app.js did), so aligning the docs on CORS_ORIGIN is the minimal, consistent fix.

@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown

@Anexus5919 is attempting to deploy a commit to the somiljain2024-4175's projects Team on Vercel.

A member of the Team first needs to authorize it.

@Anexus5919

Copy link
Copy Markdown
Contributor Author

@Somil450 @diksha78dev Kindly have a review on this pr. Thanks!

The root .env.example, API.md, and README.md told users to set
ALLOWED_ORIGIN, but the server's entry point (index.js -> config/env.js)
reads only CORS_ORIGIN and throws "CORS_ORIGIN must be set in production"
on boot when it is unset. ALLOWED_ORIGIN is read only by the unreferenced
legacy app.js. So following the docs left CORS_ORIGIN unset and crashed
production on startup.

Align the root docs on CORS_ORIGIN (matching config/env.js and the
server's own server/.env.example and server/README.md), and fix the
API.md env table, which had the two names inverted.
@Anexus5919 Anexus5919 force-pushed the fix/docs-cors-origin-env-name branch from 6abce07 to 2dd0cf8 Compare July 1, 2026 07:19
@Anexus5919

Copy link
Copy Markdown
Contributor Author

@Somil450 @diksha78dev Kindly have a review on this pr. Thanks!

@Anexus5919

Copy link
Copy Markdown
Contributor Author

This failing check is from main, not this PR. Main's CI is currently broken (ShieldAlert used without importing it, plus untyped "privacy"/"terms&conditions" screens), so every PR goes red, even docs-only ones. Fix is up in #1039. Once it merges, a rebase turns this green. Merges cleanly with base.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Docs say ALLOWED_ORIGIN but the server reads CORS_ORIGIN and throws in production; following the docs crashes prod on boot

1 participant