From dd43fde106da42e208d63e3a10a5d40d6770f31f Mon Sep 17 00:00:00 2001
From: Nicolas Cantu <nicolas.cantu@pm.me>
Date: Thu, 18 Sep 2025 15:01:38 +0000
Subject: [PATCH] ci: docker_tag=ext chore: sync conf/docs (CORS, redirect
 authorized-client)

---
 .env.exemple                    |  7 +++--
 conf/nginx/dev4.4nkweb.com.conf | 53 +++++++++++++++++++++++++++++++++
 docs/DEPLOIEMENT_dev4.md        |  4 +--
 3 files changed, 59 insertions(+), 5 deletions(-)

diff --git a/.env.exemple b/.env.exemple
index 405d73b..5ee9a28 100644
--- a/.env.exemple
+++ b/.env.exemple
@@ -40,12 +40,13 @@ NEXT_PUBLIC_API_URL=https://dev4.4nkweb.com/api
 NEXT_PUBLIC_DEFAULT_VALIDATOR_ID=28c9a3a8151bef545ebf700ca5222c63d0031ad593097e95c1de202464304a99
 NEXT_PUBLIC_DEFAULT_STORAGE_URLS=https://dev4.4nkweb.com/storage
 SIGNER_BASE_URL=https://dev3.4nkweb.com/signer/
+CORS_ALLOWED_ORIGINS=http://local.4nkweb.com:3000,https://dev4.4nkweb.com
 
 # WS
 # RELAY_URLS=wss://demo.4nkweb.com/ws
 RELAY_URLS=wss://dev4.4nkweb.com/ws
-# SIGNER_WS_URL=https://dev4.4nkweb.com/signer/
-SIGNER_WS_URL=https://dev3.4nkweb.com/signer/
+# SIGNER_WS_URL=ws://dev4.4nkweb.com/signer/
+SIGNER_WS_URL=ws://dev3.4nkweb.com
 
 
 # IHM URLS
@@ -85,4 +86,4 @@ STRIPE_STANDARD_ANNUAL_SUBSCRIPTION_PRICE_ID=
 STRIPE_UNLIMITED_SUBSCRIPTION_PRICE_ID=
 STRIPE_UNLIMITED_ANNUAL_SUBSCRIPTION_PRICE_ID=
 
-SIGNER_API_KEY=your_signer_api_key_here
\ No newline at end of file
+SIGNER_API_KEY=your-api-key-change-this
\ No newline at end of file
diff --git a/conf/nginx/dev4.4nkweb.com.conf b/conf/nginx/dev4.4nkweb.com.conf
index 4819b1f..1ebb982 100644
--- a/conf/nginx/dev4.4nkweb.com.conf
+++ b/conf/nginx/dev4.4nkweb.com.conf
@@ -21,7 +21,32 @@ server {
     }
 
     # API direct - route /api/ vers le backend
+    # Autorisations CORS dynamiques pour origines connues
+    set $cors_origin "";
+    if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) {
+        set $cors_origin $http_origin;
+    }
+
     location /api/ {
+        # CORS pour développement local Next.js
+        proxy_hide_header Access-Control-Allow-Origin;
+        proxy_hide_header Access-Control-Allow-Credentials;
+        proxy_hide_header Access-Control-Allow-Headers;
+        proxy_hide_header Access-Control-Allow-Methods;
+
+        if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+            return 204;
+        }
+
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+        add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+
         proxy_pass http://127.0.0.1:8080/api/;
         include /etc/nginx/proxy_params;
         proxy_read_timeout 300;
@@ -29,6 +54,34 @@ server {
         proxy_send_timeout 300;
     }
 
+    # Compat: certains clients appellent /apiv1 -> réécriture vers /api/v1
+    location ~* ^/apiv1/(.*)$ {
+        # CORS pour compatibilité
+        proxy_hide_header Access-Control-Allow-Origin;
+        proxy_hide_header Access-Control-Allow-Credentials;
+        proxy_hide_header Access-Control-Allow-Headers;
+        proxy_hide_header Access-Control-Allow-Methods;
+
+        if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+            return 204;
+        }
+
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+        add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+
+        proxy_pass http://127.0.0.1:8080/api/v1/$1;
+        include /etc/nginx/proxy_params;
+        proxy_read_timeout 300;
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+    }
+
     # ihm_client (root)
     location / {
         proxy_pass http://127.0.0.1:3003;
diff --git a/docs/DEPLOIEMENT_dev4.md b/docs/DEPLOIEMENT_dev4.md
index ed9b119..f90dae2 100644
--- a/docs/DEPLOIEMENT_dev4.md
+++ b/docs/DEPLOIEMENT_dev4.md
@@ -12,8 +12,8 @@
 - Next.js: basePath /lecoffre, build production, NODE_OPTIONS max-old-space-size 2048
 - Extraits .env pertinents:
   - RELAY_URLS wss://dev4.4nkweb.com/ws
-  - SIGNER_WS_URL https://dev4.4nkweb.com/signer/
-  - VITE_BOOTSTRAPURL https://dev4.4nkweb.com/ws
+  - SIGNER_WS_URL ws://dev4.4nkweb.com/signer/
+  - VITE_BOOTSTRAPURL ws://dev4.4nkweb.com/ws
 - Correction 502: build Next terminé, Nginx OK
 
 ## Redirection locale depuis local.4nkweb.com:3000