From 06999b2bd745291bbe5df71505149fb79620918b Mon Sep 17 00:00:00 2001
From: Martin Porwoll <martin.porwoll@complexcaresolutions.de>
Date: Wed, 25 Feb 2026 13:02:03 +0000
Subject: [PATCH] fix: add allowedOrigins for Next.js server actions behind
 reverse proxy

Next.js has its own CSRF protection for server actions, separate from
Payload's csrf config. Without allowedOrigins, server actions from the
admin panel behind a reverse proxy are rejected because the Origin header
(cms.c2sgmbh.de) doesn't match the Host header (localhost:3001).

Also removes temporary debug logging from multiTenant access check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 next.config.mjs       |  8 ++++++++
 src/payload.config.ts | 13 +------------
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/next.config.mjs b/next.config.mjs
index 87421d1..0c9cd13 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -7,6 +7,14 @@ const nextConfig = {
     // Use fewer workers for builds on low-memory systems
     workerThreads: false,
     cpus: 1,
+    // Allow server actions from these origins (behind reverse proxy)
+    serverActions: {
+      allowedOrigins: [
+        'pl.porwoll.tech',
+        'pl.c2sgmbh.de',
+        'cms.c2sgmbh.de',
+      ],
+    },
   },
   // Webpack configuration for TypeScript/ESM compatibility
   webpack: (webpackConfig) => {
diff --git a/src/payload.config.ts b/src/payload.config.ts
index 1657266..cf2d1af 100644
--- a/src/payload.config.ts
+++ b/src/payload.config.ts
@@ -409,18 +409,7 @@ export default buildConfig({
         } as Record<string, { customTenantField?: boolean }>),
       },
       // Super Admins haben Zugriff auf alle Tenants
-      userHasAccessToAllTenants: (user) => {
-        const result = Boolean(user?.isSuperAdmin)
-        console.log('[DEBUG:MultiTenant] userHasAccessToAllTenants:', {
-          userId: user?.id,
-          email: user?.email,
-          isSuperAdmin: user?.isSuperAdmin,
-          result,
-          tenants: user?.tenants,
-          userKeys: user ? Object.keys(user) : 'no user',
-        })
-        return result
-      },
+      userHasAccessToAllTenants: (user) => Boolean(user?.isSuperAdmin),
       debug: true,
       // Deutsche Übersetzungen für den Tenant-Selector
       i18n: {