From 29350af2e0735f4177cddeaa3e04981c06c349f5 Mon Sep 17 00:00:00 2001
From: Adam French <adam.a.french@outlook.com>
Date: Wed, 25 Mar 2026 16:59:13 +0000
Subject: [PATCH] Fix WebSocket 403 in dev mode by allowing localhost origins

The CheckOrigin function only accepted the production domain, rejecting
localhost connections in dev. Also removed redundant error response after
a failed upgrade since the upgrader already writes its own HTTP response.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/handlers/handle_websocket.go | 2 +-
 backend/services/websocket.go        | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/backend/handlers/handle_websocket.go b/backend/handlers/handle_websocket.go
index 2c3c7f9..9a57fd5 100644
--- a/backend/handlers/handle_websocket.go
+++ b/backend/handlers/handle_websocket.go
@@ -8,7 +8,7 @@ import (
 func (store *Store) ConnectWebSocket(ctx *gin.Context) {
 	conn, err := services.Upgrader.Upgrade(ctx.Writer, ctx.Request, nil)
 	if err != nil {
-		ctx.JSON(500, gin.H{"error": err.Error()})
+		// Upgrader already wrote the HTTP error response, so just return
 		return
 	}
 
diff --git a/backend/services/websocket.go b/backend/services/websocket.go
index 35b4322..0d31f61 100644
--- a/backend/services/websocket.go
+++ b/backend/services/websocket.go
@@ -26,7 +26,9 @@ var Upgrader = websocket.Upgrader{
 		}
 		origin = strings.TrimPrefix(origin, "https://")
 		origin = strings.TrimPrefix(origin, "http://")
-		return origin == allowedDomain || origin == "www."+allowedDomain
+		// Strip port for localhost comparisons (e.g. "localhost:80")
+		host := strings.Split(origin, ":")[0]
+		return origin == allowedDomain || origin == "www."+allowedDomain || host == "localhost"
 	},
 }