🐛 Bug Report: CORS Wildcard Not Applied to /v1/inbox Routes When API_CONTEXT_PATH is Set #8596
Description
📜 Description
The CORS configuration is designed to enable wildcard origin (*) for specific routes, including those matching /v1/inbox, via the isInboxRoute function. However, when a global API_CONTEXT_PATH (e.g., "api") is configured for the NestJS application, the req.url property passed to the corsOptionsDelegate includes this context path.
This causes the isInboxRoute check, url.startsWith('/v1/inbox'), to fail because the actual url will be, for example, /api/v1/inbox instead of /v1/inbox. Consequently, enableWildcard returns false for these routes (unless isDevelopmentEnvironment() is true), and the more restrictive origin checking logic is applied, potentially leading to CORS errors if the requesting origin is not explicitly whitelisted.
👟 Reproduction steps
set env API_CONTEXT_PATH=api
inbox connection in frontend application fail with cors
👍 Expected behavior
set env API_CONTEXT_PATH=api
inbox connection in frontend application should work
👎 Actual Behavior with Screenshots
Novu version
image: ghcr.io/novuhq/novu/dashboard:2.2.0
npm version
No response
node version
No response
📃 Provide any additional context for the Bug.
No response
👀 Have you spent some time to check if this bug has been raised before?
- I checked and didn't find a similar issue
🏢 Have you read the Contributing Guidelines?
- I have read the Contributing Guidelines
Are you willing to submit PR?
None