From 8cf12db72aba138d42334444c217064ddf3220f8 Mon Sep 17 00:00:00 2001
From: CREDO23 <thierrybakera12@gmail.com>
Date: Tue, 17 Mar 2026 19:00:21 +0200
Subject: [PATCH] fix(backend): always allow localhost CORS for desktop app

---
 surfsense_backend/app/app.py | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/surfsense_backend/app/app.py b/surfsense_backend/app/app.py
index e6db5670e..649a7db53 100644
--- a/surfsense_backend/app/app.py
+++ b/surfsense_backend/app/app.py
@@ -340,16 +340,12 @@ if config.NEXT_FRONTEND_URL:
         if www_url not in allowed_origins:
             allowed_origins.append(www_url)
 
-# For local development, also allow common localhost origins
-if not config.BACKEND_URL or (
-    config.NEXT_FRONTEND_URL and "localhost" in config.NEXT_FRONTEND_URL
-):
-    allowed_origins.extend(
-        [
-            "http://localhost:3000",
-            "http://127.0.0.1:3000",
-        ]
-    )
+allowed_origins.extend(
+    [ # For local development and desktop app
+        "http://localhost:3000",
+        "http://127.0.0.1:3000",
+    ]
+)
 
 app.add_middleware(
     CORSMiddleware,