From f71e47b571257566019cb4056af076682da107b6 Mon Sep 17 00:00:00 2001 From: manuel_boissiere Date: Sat, 16 May 2026 10:38:34 +0100 Subject: [PATCH] Add ALLOWED_DEV_ORIGINS support for cross-origin dev mode Next.js 16 blocks cross-origin requests to /_next/* dev resources by default. When the dev server runs behind a reverse proxy (or any host that isn't localhost), HMR and dev chunk requests are blocked and React fails to hydrate. The page renders the SSR HTML but client-side JS never takes over, so forms submit natively instead of via React. Symptom seen in container/proxy setups: clicking "Create account" performs a native GET to /auth/sign-up?, never POSTs to /api/auth/sign-up/email, and the user is never created. Plumb a comma-separated ALLOWED_DEV_ORIGINS env var through to NextConfig.allowedDevOrigins. Default stays empty (matches current behavior for plain localhost dev). Example: ALLOWED_DEV_ORIGINS=bigset.example.com bun dev See: https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins --- frontend/next.config.ts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/frontend/next.config.ts b/frontend/next.config.ts index 6bd62bd..c6c37fb 100644 --- a/frontend/next.config.ts +++ b/frontend/next.config.ts @@ -1,6 +1,18 @@ import type { NextConfig } from "next"; +// Hosts allowed to load /_next/* dev resources from this dev server. +// Next.js 16 blocks cross-origin dev requests by default; without this, +// running `next dev` behind any reverse proxy or non-localhost origin +// silently breaks HMR and React hydration. +// Set ALLOWED_DEV_ORIGINS as a comma-separated list, e.g. +// ALLOWED_DEV_ORIGINS=bigset.example.com,staging.example.com +const allowedDevOrigins = (process.env.ALLOWED_DEV_ORIGINS || "") + .split(",") + .map((s) => s.trim()) + .filter(Boolean); + const nextConfig: NextConfig = { + allowedDevOrigins, async rewrites() { return [ {