Fix embed API routing and CORS origins

borisolver · borisolver · commit 74f8d3723499 · 2026-03-19T00:58:03.000+01:00
diff --git a/conf/compose/prod_docker_compose.yml b/conf/compose/prod_docker_compose.yml
@@ -164,6 +164,8 @@ services:
       - INTELLIGENCE_BASE_URL=https://cleanapp.io
       - EMAIL_SERVICE_URL=http://cleanapp_email_service:8080
       - INTERNAL_ADMIN_TOKEN=${INTERNAL_ADMIN_TOKEN}
+      - ALLOWED_ORIGINS=https://cleanapp.io,https://www.cleanapp.io,https://embed.cleanapp.io,https://www.embed.cleanapp.io
+      - WEBSOCKET_ALLOWED_ORIGINS=https://cleanapp.io,https://www.cleanapp.io,https://embed.cleanapp.io,https://www.embed.cleanapp.io
       - MOBILE_PUSH_ENABLED=${MOBILE_PUSH_ENABLED:-false}
       - APNS_TEAM_ID=${APNS_TEAM_ID}
       - APNS_KEY_ID=${APNS_KEY_ID}
diff --git a/conf/nginx/prod/conf.d/embeddedcleanapp.conf b/conf/nginx/prod/conf.d/embeddedcleanapp.conf
@@ -7,6 +7,61 @@ server {
         ssl_certificate_key /etc/nginx/conf.d/STAR_cleanapp_io.key;
         ssl_session_cache shared:SSL:10m;
 
+        # API v3 routes to report-listener (v3) on 9081
+        location /api/v3/ {
+                proxy_pass http://127.0.0.1:9081;
+                proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_read_timeout 86400;
+        }
+
+        # API v4 routes to report-listener-v4 on 9097
+        location /api/v4/ {
+                proxy_pass http://127.0.0.1:9097;
+                proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_read_timeout 86400;
+        }
+
+        # Next.js API routes - proxy to main frontend, not the static embedded shell
+        location /api/reports/ {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+        }
+
+        location /api/reports-count {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        location /api/geocode {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        location /api/osm-search {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        location /api/places-search {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        # Other legacy API routes to customer service
+        location /api/ {
+                proxy_pass http://127.0.0.1:9080;
+                proxy_set_header Host $host;
+        }
+
         location / {
                 proxy_pass http://127.0.0.1:3002;
                 proxy_set_header Host $host;
diff --git a/conf/nginx/prod/conf.d/livecleanapp.conf b/conf/nginx/prod/conf.d/livecleanapp.conf
@@ -3,18 +3,55 @@ server {
         server_name live.cleanapp.io www.live.cleanapp.io;
         ssl_certificate /etc/nginx/conf.d/STAR_cleanapp_io_chain.crt;
         ssl_certificate_key /etc/nginx/conf.d/STAR_cleanapp_io.key;
-        location / {
+        set $cors_origin "";
+        if ($http_origin ~* "^https://(www\\.)?(cleanapp|embed\\.cleanapp)\\.io$") {
+                set $cors_origin $http_origin;
+        }
+
+        location /api/v3/ {
+                proxy_hide_header 'Access-Control-Allow-Origin';
+                add_header 'Access-Control-Allow-Origin' "$cors_origin" always;
+                add_header 'Vary' 'Origin' always;
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+                add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization' always;
+                add_header 'Access-Control-Allow-Credentials' 'true' always;
+
+                if ($request_method = 'OPTIONS') {
+                        return 204;
+                }
+
                 proxy_pass http://127.0.0.1:9081;
                 proxy_http_version 1.1;
+                proxy_set_header Host $host;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";
                 proxy_read_timeout 86400;
         }
 
         # v4 API routed to report-listener-v4
         location /api/v4/ {
+                proxy_hide_header 'Access-Control-Allow-Origin';
+                add_header 'Access-Control-Allow-Origin' "$cors_origin" always;
+                add_header 'Vary' 'Origin' always;
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+                add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization' always;
+                add_header 'Access-Control-Allow-Credentials' 'true' always;
+
+                if ($request_method = 'OPTIONS') {
+                        return 204;
+                }
+
                 proxy_pass http://127.0.0.1:9097;
                 proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_read_timeout 86400;
+        }
+
+        location / {
+                proxy_pass http://127.0.0.1:9081;
+                proxy_http_version 1.1;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";
                 proxy_read_timeout 86400;
diff --git a/platform_blueprint/deploy/prod/docker-compose.yml b/platform_blueprint/deploy/prod/docker-compose.yml
@@ -162,6 +162,8 @@ services:
       - INTELLIGENCE_BASE_URL=https://cleanapp.io
       - EMAIL_SERVICE_URL=http://cleanapp_email_service:8080
       - INTERNAL_ADMIN_TOKEN=${INTERNAL_ADMIN_TOKEN}
+      - ALLOWED_ORIGINS=https://cleanapp.io,https://www.cleanapp.io,https://embed.cleanapp.io,https://www.embed.cleanapp.io
+      - WEBSOCKET_ALLOWED_ORIGINS=https://cleanapp.io,https://www.cleanapp.io,https://embed.cleanapp.io,https://www.embed.cleanapp.io
     ports:
       - 127.0.0.1:9081:8080
     depends_on:
diff --git a/platform_blueprint/deploy/prod/nginx_conf_d/embeddedcleanapp.conf b/platform_blueprint/deploy/prod/nginx_conf_d/embeddedcleanapp.conf
@@ -7,6 +7,61 @@ server {
         ssl_certificate_key /etc/nginx/conf.d/STAR_cleanapp_io.key;
         ssl_session_cache shared:SSL:10m;
 
+        # API v3 routes to report-listener (v3) on 9081
+        location /api/v3/ {
+                proxy_pass http://127.0.0.1:9081;
+                proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_read_timeout 86400;
+        }
+
+        # API v4 routes to report-listener-v4 on 9097
+        location /api/v4/ {
+                proxy_pass http://127.0.0.1:9097;
+                proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_read_timeout 86400;
+        }
+
+        # Next.js API routes - proxy to main frontend, not the static embedded shell
+        location /api/reports/ {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+        }
+
+        location /api/reports-count {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        location /api/geocode {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        location /api/osm-search {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        location /api/places-search {
+                proxy_pass http://127.0.0.1:3001;
+                proxy_set_header Host $host;
+        }
+
+        # Other legacy API routes to customer service
+        location /api/ {
+                proxy_pass http://127.0.0.1:9080;
+                proxy_set_header Host $host;
+        }
+
         location / {
                 proxy_pass http://127.0.0.1:3002;
                 proxy_set_header Host $host;
diff --git a/platform_blueprint/deploy/prod/nginx_conf_d/livecleanapp.conf b/platform_blueprint/deploy/prod/nginx_conf_d/livecleanapp.conf
@@ -4,7 +4,7 @@ server {
         ssl_certificate /etc/nginx/conf.d/STAR_cleanapp_io_chain.crt;
         ssl_certificate_key /etc/nginx/conf.d/STAR_cleanapp_io.key;
         set $cors_origin "";
-        if ($http_origin ~* "^https://(www\\.)?cleanapp\\.io$") {
+        if ($http_origin ~* "^https://(www\\.)?(cleanapp|embed\\.cleanapp)\\.io$") {
                 set $cors_origin $http_origin;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ server {`
`4`	`4`	`ssl_certificate /etc/nginx/conf.d/STAR_cleanapp_io_chain.crt;`
`5`	`5`	`ssl_certificate_key /etc/nginx/conf.d/STAR_cleanapp_io.key;`
`6`	`6`	`set $cors_origin "";`
`7`		`- if ($http_origin ~* "^https://(www\\.)?cleanapp\\.io$") {`
	`7`	`+ if ($http_origin ~* "^https://(www\\.)?(cleanapp\|embed\\.cleanapp)\\.io$") {`
`8`	`8`	`set $cors_origin $http_origin;`
`9`	`9`	`}`
`10`	`10`