fix: add allowedOrigins for Next.js server actions behind reverse proxy

Next.js has its own CSRF protection for server actions, separate from Payload's csrf config. Without allowedOrigins, server actions from the admin panel behind a reverse proxy are rejected because the Origin header (cms.c2sgmbh.de) doesn't match the Host header (localhost:3001). Also removes temporary debug logging from multiTenant access check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 16:14:12 +00:00 · 2026-02-25 13:02:03 +00:00 · 2026-02-25 13:02:03 +00:00 · 06999b2bd7
commit 06999b2bd7
parent 35bab1935a
2 changed files with 9 additions and 12 deletions
--- a/next.config.mjs
+++ b/next.config.mjs
@ -7,6 +7,14 @@ const nextConfig = {
    // Use fewer workers for builds on low-memory systems
    workerThreads: false,
    cpus: 1,
    // Allow server actions from these origins (behind reverse proxy)
    serverActions: {
      allowedOrigins: [
        'pl.porwoll.tech',
        'pl.c2sgmbh.de',
        'cms.c2sgmbh.de',
      ],
    },
  },
  // Webpack configuration for TypeScript/ESM compatibility
  webpack: (webpackConfig) => {
--- a/src/payload.config.ts
+++ b/src/payload.config.ts
@ -409,18 +409,7 @@ export default buildConfig({
        } as Record<string, { customTenantField?: boolean }>),
      },
      // Super Admins haben Zugriff auf alle Tenants
-      userHasAccessToAllTenants: (user) => {
+      userHasAccessToAllTenants: (user) => Boolean(user?.isSuperAdmin),
        const result = Boolean(user?.isSuperAdmin)
        console.log('[DEBUG:MultiTenant] userHasAccessToAllTenants:', {
          userId: user?.id,
          email: user?.email,
          isSuperAdmin: user?.isSuperAdmin,
          result,
          tenants: user?.tenants,
          userKeys: user ? Object.keys(user) : 'no user',
        })
        return result
      },
      debug: true,
      // Deutsche Übersetzungen für den Tenant-Selector
      i18n: {