From 45dbd341a3043320366507bfad03bbb4c7a475b3 Mon Sep 17 00:00:00 2001
From: Jan Willem Mannaerts <jw.mannaerts@buckaroo.nl>
Date: Sat, 28 Feb 2026 12:28:07 +0100
Subject: [PATCH] Fix Socket.IO origin check and force WebSocket-only transport

Same-origin requests omit the Origin header, which was rejected in
production. Also restrict to WebSocket transport on both client and
server to eliminate need for sticky sessions with multiple replicas.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/src/index.js            | 3 ++-
 frontend/src/services/socket.js | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/backend/src/index.js b/backend/src/index.js
index d485091..360222c 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -43,7 +43,7 @@ const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:5174';
 const corsOptions = { origin: frontendUrl, credentials: true };
 
 function isAllowedOrigin(origin) {
-  if (!origin) return !isProd;
+  if (!origin) return true; // same-origin requests omit the Origin header
   return origin === frontendUrl;
 }
 
@@ -81,6 +81,7 @@ if (isProd) {
 }
 
 const io = new Server(httpServer, {
+  transports: ['websocket'],
   cors: corsOptions,
   allowRequest: (req, callback) => {
     if (isAllowedOrigin(req.headers.origin)) {
diff --git a/frontend/src/services/socket.js b/frontend/src/services/socket.js
index be690ea..abacba1 100644
--- a/frontend/src/services/socket.js
+++ b/frontend/src/services/socket.js
@@ -9,7 +9,8 @@ export function getSocket() {
       autoConnect: true,
       reconnection: true,
       reconnectionAttempts: 10,
-      reconnectionDelay: 750
+      reconnectionDelay: 750,
+      transports: ['websocket']
     };
 
     if (socketBaseUrl) {