cors apifix

src/components/TopicView.jsx

@@ -7,13 +7,13 @@ import { LEGACY_BASE_URL, REST_BASE_URL } from '../data/topics'
 const ADMIN_SECRET = 'nearle-admin-secret'
 
 function toProxyPath(fullUrl) {
-  // In dev, route REST through the Vite proxy (/live → jupiter.nearle.app)
-  // to bypass CORS restrictions on localhost.
-  if (import.meta.env.DEV && fullUrl.startsWith(REST_BASE_URL)) {
+  // REST: always strip to a relative /live/... path so the request goes through
+  // the local server proxy (Vite dev/preview, or nginx in production).
+  // This avoids CORS entirely — the browser never talks to jupiter.nearle.app directly.
+  if (fullUrl.startsWith(REST_BASE_URL)) {
     return fullUrl.slice(REST_BASE_URL.length)
   }
-  // Legacy (api.workolik.com): CORS open, admin secret injected in headers.
-  // REST in production: deployed origin is whitelisted by jupiter.nearle.app.
+  // Legacy (api.workolik.com): CORS is open, admin secret injected in headers.
   return fullUrl
 }
 

vite.config.js

@@ -11,12 +11,7 @@ export default defineConfig(({ mode }) => {
     console.warn('[xpress-docs] HASURA_ADMIN_SECRET is not set in .env.local; proxied requests will hit the API without auth.')
   }
 
-  return {
-    plugins: [react()],
-    server: {
-      port: 5173,
-      open: true,
-      proxy: {
+  const proxyConfig = {
     '/api': {
       target: 'https://api.workolik.com',
       changeOrigin: true,
@@ -33,6 +28,17 @@ export default defineConfig(({ mode }) => {
       secure: true,
     }
   }
+
+  return {
+    plugins: [react()],
+    server: {
+      port: 5173,
+      open: true,
+      proxy: proxyConfig,
+    },
+    preview: {
+      port: 4173,
+      proxy: proxyConfig,
     }
   }
 })