-
-
Notifications
You must be signed in to change notification settings - Fork 427
fix: allow vercel preview builds to access the local connector #1794
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
neutrino2211
wants to merge
1
commit into
npmx-dev:main
from
neutrino2211:fix/allow-vercel-connector-access
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
head -120 cli/src/server.ts | tail -40Repository: npmx-dev/npmx.dev
Length of output: 1044
🏁 Script executed:
Repository: npmx-dev/npmx.dev
Length of output: 74
🏁 Script executed:
Repository: npmx-dev/npmx.dev
Length of output: 43
🌐 Web query:
Vercel preview deployment URL pattern subdomain structure and how to scope CORS to specific projects or teams💡 Result:
Vercel preview deployment URL patterns (default
.vercel.app)Vercel “generated URLs” are built from these components:
<project-name>,<scope-slug>(team/account slug), optional<branch-name>, and optional<unique-hash>. (vercel.com)Common preview URL structures from Git: (vercel.com)
https://<project-name>-<unique-hash>-<scope-slug>.vercel.apphttps://<project-name>-git-<branch-name>-<scope-slug>.vercel.app(There are also CLI-generated forms like
https://<project-name>-<scope-slug>.vercel.appand sometimes...-<author-name>-...for team deployments.) (vercel.com)Making preview URLs predictable (best for CORS allowlists)
If you need a stable domain pattern, use Preview Deployment Suffix to replace
.vercel.appwith a domain you control (configured at the team level, and the domain must exist/be active in that team). (vercel.com)Example outcome: previews become something like
https://<project>...<team>.<your-preview-suffix-domain>instead of...vercel.app. (vercel.com)If you want wildcard-style origins (e.g.
https://*.preview.example.com), you typically pair this with Vercel-managed DNS / wildcard domain handling so subdomains resolve cleanly. (vercel.com)How to scope CORS to specific Vercel projects/teams
CORS itself doesn’t understand “Vercel project/team”—it only sees the request Origin (scheme + host + port). So you scope by matching the Origin host to the project/team patterns you allow.
Option A (works with default
.vercel.app): validate origin by suffix + project prefixUse a dynamic origin check on your API:
-<scope-slug>.vercel.app(scopes to one team/account)<project-name>-(scopes to one project)-git-(branch) form and/or the-<unique-hash>-(commit) form. (vercel.com)Example (Node/Next API-style logic):
(That 9-character “unique-hash” length is documented.) (vercel.com)
Option B (recommended for strict allowlists): use a custom Preview Deployment Suffix domain per team
With a suffix like
preview.example.com, you can allow:https://*.preview.example.com(broad to that team’s preview domain), orhttps://<project-pattern>.preview.example.com(narrower), depending on how your generated hostnames look after the suffix change. (vercel.com)Option C: if Deployment Protection breaks CORS preflights
If your previews are protected (Vercel Authentication / Password / Trusted IPs), browser OPTIONS preflights can be blocked. Vercel documents using OPTIONS Allowlist so preflights can succeed (commonly for
/api/*) while keeping real requests protected. (vercel.com)If you tell me your team slug, project name, and whether you’re using default
.vercel.appvs Preview Deployment Suffix, I can give you an exact regex/implementation (and for which environments: preview only vs preview+prod).Citations:
🏁 Script executed:
Repository: npmx-dev/npmx.dev
Length of output: 2099
🏁 Script executed:
Repository: npmx-dev/npmx.dev
Length of output: 1796
Scope the Vercel CORS origin pattern to your team's deployments.
The regex
/^https:\/\/(.*)\.vercel\.app$/allows CORS requests from any Vercel deployment (across all users and teams). Whilst token validation provides secondary protection, CORS should still follow the defence-in-depth principle.Vercel preview URLs include the team/account scope slug. Scope your pattern to match your deployments only:
Replace
<your-team-slug>with your Vercel team's slug (visible in your team settings or Vercel preview URLs). This ensures only your team's deployments can request CORS access, not arbitrary Vercel apps from other users or organisations.