From 6ebffb25a84edc898a40e29400f8946b2791dfa9 Mon Sep 17 00:00:00 2001
From: Andrew Rumble <andrew.rumble@overleaf.com>
Date: Wed, 16 Apr 2025 15:01:33 +0100
Subject: [PATCH] Log a warning when a user is rejected from accessing
 real-time by CORS

GitOrigin-RevId: 04a7ffbc24654c876688db446164bf36a162828f
---
 services/real-time/app.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/services/real-time/app.js b/services/real-time/app.js
index 4fecd8f8a6..38cb3caec4 100644
--- a/services/real-time/app.js
+++ b/services/real-time/app.js
@@ -95,6 +95,12 @@ io.configure(function () {
       const originIsValid = allowedCorsOriginsRegex.test(normalizedOrigin)
 
       if (req.headers.origin) {
+        if (!originIsValid) {
+          logger.warn(
+            { normalizedOrigin, origin, req },
+            'Origin header does not match allowed origins'
+          )
+        }
         return originIsValid
       }