From d5284b307687704ef8731e68721670ddddeca849 Mon Sep 17 00:00:00 2001
From: CREDO23 <bakerathierry@gmail.com>
Date: Fri, 22 May 2026 19:37:19 +0200
Subject: [PATCH] fix(desktop): bind bundled Next.js on localhost to keep
 window origin stable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Setting HOSTNAME=0.0.0.0 made Next.js standalone canonicalize request.url to
http://0.0.0.0:PORT. The connector OAuth callback's NextResponse.redirect built
its Location from that URL, so navigating it flipped window.location.origin from
http://localhost:PORT to http://0.0.0.0:PORT. The backend CORS allowlist matches
localhost/127.0.0.1 only, blocking every subsequent API call until app restart —
producing the "no internet" / app-down state after connecting any connector.
---
 surfsense_desktop/src/modules/server.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/surfsense_desktop/src/modules/server.ts b/surfsense_desktop/src/modules/server.ts
index e2f078a8c..17fcfb445 100644
--- a/surfsense_desktop/src/modules/server.ts
+++ b/surfsense_desktop/src/modules/server.ts
@@ -39,7 +39,8 @@ export async function startNextServer(): Promise<void> {
   const serverScript = path.join(standalonePath, 'server.js');
 
   process.env.PORT = String(serverPort);
-  process.env.HOSTNAME = '0.0.0.0';
+  // Loopback bind: 0.0.0.0 leaks into request.url and flips window origin via NextResponse.redirect.
+  process.env.HOSTNAME = 'localhost';
   process.env.NODE_ENV = 'production';
   process.chdir(standalonePath);