mirror of
https://github.com/complexcaresolutions/cms.c2sgmbh.git
synced 2026-03-17 16:14:12 +00:00
Martin Porwoll
06999b2bd7
Next.js has its own CSRF protection for server actions, separate from Payload's csrf config. Without allowedOrigins, server actions from the admin panel behind a reverse proxy are rejected because the Origin header (cms.c2sgmbh.de) doesn't match the Host header (localhost:3001). Also removes temporary debug logging from multiTenant access check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
31 lines
850 B
JavaScript
31 lines
850 B
JavaScript
import { withPayload } from '@payloadcms/next/withPayload'
|
|
|
|
/** @type {import('next').NextConfig} */
|
|
const nextConfig = {
|
|
// Reduce memory usage during build
|
|
experimental: {
|
|
// Use fewer workers for builds on low-memory systems
|
|
workerThreads: false,
|
|
cpus: 1,
|
|
// Allow server actions from these origins (behind reverse proxy)
|
|
serverActions: {
|
|
allowedOrigins: [
|
|
'pl.porwoll.tech',
|
|
'pl.c2sgmbh.de',
|
|
'cms.c2sgmbh.de',
|
|
],
|
|
},
|
|
},
|
|
// Webpack configuration for TypeScript/ESM compatibility
|
|
webpack: (webpackConfig) => {
|
|
webpackConfig.resolve.extensionAlias = {
|
|
'.cjs': ['.cts', '.cjs'],
|
|
'.js': ['.ts', '.tsx', '.js', '.jsx'],
|
|
'.mjs': ['.mts', '.mjs'],
|
|
}
|
|
|
|
return webpackConfig
|
|
},
|
|
}
|
|
|
|
export default withPayload(nextConfig, { devBundleServerPackages: false })
|