Add hostname configuration for production deployment

Add environment variable configuration to support deployment on custom domains like https://awards.dj7nt.de ## Changes - Add .env.example with configuration template - Update API client to use VITE_API_BASE_URL with fallback to /api - Update SvelteKit config to use VITE_APP_URL for CSRF trusted origins - Update backend CORS to use configurable allowed origins - Add ALLOWED_ORIGINS environment variable for production - Add build and preview scripts to package.json - Update README with production deployment guide and nginx example ## Environment Variables - VITE_APP_URL: Application hostname (e.g., https://awards.dj7nt.de) - VITE_API_BASE_URL: API base URL (empty = relative paths) - ALLOWED_ORIGINS: Comma-separated CORS origins - JWT_SECRET: Strong secret for production - NODE_ENV: development/production Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-16 08:22:37 +01:00
parent afe150f15c
commit a4ed1ec6d6
6 changed files with 130 additions and 10 deletions
--- a/src/backend/index.js
+++ b/src/backend/index.js
@@ -25,10 +25,18 @@ import {
 * Main backend application
 * Serves API routes
 */
+
+// Get allowed origins from environment or allow all in development
+const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS
+  ? process.env.ALLOWED_ORIGINS.split(',')
+  : process.env.NODE_ENV === 'production'
+    ? [process.env.VITE_APP_URL || 'https://awards.dj7nt.de']
+    : true; // Allow all in development
+
 const app = new Elysia()
  // Enable CORS for frontend communication
  .use(cors({
-    origin: true, // Allow all origins in development
+    origin: ALLOWED_ORIGINS,
    credentials: true,
    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  }))
--- a/src/frontend/src/lib/api.js
+++ b/src/frontend/src/lib/api.js
@@ -1,10 +1,10 @@
 import { browser } from '$app/environment';

 /**
- * API base URL - proxied through SvelteKit dev server
- * In production, this will be relative to the same origin
+ * API base URL - configurable via environment variable
+ * Falls back to relative path for same-domain deployment
 */
-const API_BASE = '/api';
+const API_BASE = import.meta.env.VITE_API_BASE_URL || '/api';

 /**
 * Make an API request
--- a/src/frontend/svelte.config.js
+++ b/src/frontend/svelte.config.js
@@ -4,9 +4,14 @@ import adapter from '@sveltejs/adapter-auto';
 const config = {
 	kit: {
 		adapter: adapter(),
+		// Get app URL from environment or default to localhost
+		// This is used for production builds and CSRF configuration
+		// Set via VITE_APP_URL environment variable
 		// Disable origin checks in dev to prevent issues with browser extensions
 		csrf: {
-			trustedOrigins: process.env.NODE_ENV === 'production' ? undefined : ['http://localhost:5173', 'http://127.0.0.1:5173']
+			trustedOrigins: process.env.NODE_ENV === 'production'
+				? (process.env.VITE_APP_URL ? [new URL(process.env.VITE_APP_URL).origin] : undefined)
+				: ['http://localhost:5173', 'http://127.0.0.1:5173']
 		}
 	}
 };