As far as I can tell, there is no current documentation that mentions use of anything other than the APP_BASE_URL environment variable. Even though the code does use USER_CONTENT_BASE_URL and API_BASE_URL. Maybe the easy/safe fix is to specify that the origin is valid if none of the other base url environment variables are specified? That way this code will continue to function as designed when different domains are used.
Not a proper fix, but this is the method I used to bypass it in my Docker environment. As with anything that may break or not work or cause damage elsewhere so follow with caution and also double check everything!
Instead of using Docker to modify the code, a simpler fix is to just set the value of all three ...BASE_URL environment variables to the same thing, for example:
This way the origin check works as-is. I’m doing this now with a CloudFlare Tunnel and it works fine.
I’d also prefer that this check is disable-able so that I could access the server both using my external hostname and (while on the internal network) via IP, so that in case of an external network outage I could still access it, but this at least lets the external domain work without any code changes.