`ORIGIN` value for `adapter-node` local previewing

[hyunbinseo]

Describe the bug

Current documentation suggests the following ORIGIN value.

# or e.g. for local previewing and testing
ORIGIN=http://localhost:3000 node build

However, running node build logs the following message:

node build
# Listening on 0.0.0.0:3000

When previewing the app from 0.0.0.0:3000, CSRF protection is triggered (as expected).

---

The following message is technically correct,

Listening on 0.0.0.0:3000

but the users should be guided to open the app in http://localhost:5173.

Reproduction

Reference above.

Logs

No response

System Info

System:
  OS: macOS 14.4
  CPU: (10) arm64 Apple M1 Pro
  Memory: 76.95 MB / 16.00 GB
  Shell: 5.9 - /bin/zsh
Binaries:
  Node: 20.11.1 - ~/.volta/tools/image/node/20.11.1/bin/node
  npm: 10.2.4 - ~/.volta/tools/image/node/20.11.1/bin/npm
  pnpm: 8.15.4 - ~/.volta/bin/pnpm
Browsers:
  Chrome: 122.0.6261.112
  Edge: 122.0.2365.80
  Safari: 17.4
npmPackages:
  @sveltejs/adapter-node: ^5.0.1 => 5.0.1 
  @sveltejs/kit: ^2.5.1 => 2.5.3 
  @sveltejs/vite-plugin-svelte: ^3.0.2 => 3.0.2 
  svelte: ^4.2.11 => 4.2.12 
  vite: ^5.1.4 => 5.1.5

Severity

annoyance

Additional Information

The 0.0.0.0:3000 part is clickable, but does not open the browser window (tab) in the VS Code console.

[Conduitry]

I don't think this is a good idea to change. 0.0.0.0:3000 is what it's listening on. This comes from the HOST and PORT environment variables. If you had a reverse proxy in front of the app and had ORIGIN set to https://example.com, it would be misleading to say that it's listening on https://example.com.

ORIGIN doesn't actually change what host/port the application server binds to. And for me, even when ORIGIN is not set, the app is not accessible at 0.0.0.0:3000. On most systems, I don't think 0.0.0.0 resolves to localhost.

The production version of an app is not typically run locally, and I don't think that's what we should be optimizing its logs for. When you do run it locally, you presumably also have access to the ORIGIN env var that you're running it with.

[hyunbinseo]

Listening on 0.0.0.0:3000

1. I do agree that the above message is accurate and should be logged.
2. I am able to access 0.0.0.0:3000 in macOS Firefox, Chrome, and Edge.

Other possible solutions are:

• Requiring the ORIGIN environment variable when running node build.
• Set a fallback ORIGIN value to http://localhost:${process.env.PORT}.

I am currently using the latter in my personal template.

Debugging CSRF protection error in the production build is not obvious.