fix(api): allow the gittensory-ui dev-server port in CORS#5248
Conversation
gittensory-ui's dev server (@lovable.dev/vite-tanstack-config) binds port 8080, not Vite's 5173 default. DEFAULT_CORS_ORIGINS only listed 3000/4173/5173, so every local/preview dev server was CORS-blocked from /health and the ApiStatusBanner falsely reported "API unreachable" on every load, even with a healthy API.
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5248 +/- ##
=======================================
Coverage 94.34% 94.34%
=======================================
Files 473 473
Lines 39982 39982
Branches 14576 14576
=======================================
Hits 37722 37722
Misses 1585 1585
Partials 675 675
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-12 11:37:35 UTC
⏸️ Suggested Action - Manual Review
Review summary Blockers
Nits — 5 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Summary
Root cause of the "API unreachable" banner appearing on every local/preview load of gittensory-ui: its dev server (
@lovable.dev/vite-tanstack-config) binds port 8080, not Vite's 5173 default, butDEFAULT_CORS_ORIGINSinsrc/api/routes.tsonly listed 3000/4173/5173 (+ their127.0.0.1equivalents). Every dev/preview build was CORS-blocked from/health, soApiStatusBannerreported the API as unreachable regardless of whether it was actually healthy — verified the deployed API itself responds200in well under a second.Fix: added
http://localhost:8080/http://127.0.0.1:8080toDEFAULT_CORS_ORIGINS.Validation
npx vitest run test/integration/api.test.ts— new regression assertions for the/healthpreflight fromlocalhost:8080and127.0.0.1:8080passnpm run typecheck— cleannpm run test:coverage(unsharded) — full suite greennpm audit --audit-level=moderate— 0 vulnerabilitiesnpm run cf-typegen:check/npm run ui:openapi:check/npm run docs:drift-check— all clean, no driftSafety