Handle remote API host selection and fix datetime literals

apps/service/src/config.service.spec.ts

@@ -1,5 +1,6 @@
 import { Test, TestingModule } from '@nestjs/testing';
 import Database from 'better-sqlite3';
+import path from 'path';
 import { ConfigService } from './config.service';
 
 // Mock better-sqlite3

apps/service/src/db.service.ts

@@ -410,8 +410,7 @@ export class DbService {
     const params = [status];
 
     if (olderThanDays !== undefined) {
-      query +=
-        ' AND created_at < datetime("now", "-' + olderThanDays + ' days")';
+      query += ` AND created_at < datetime('now', '-${olderThanDays} days')`;
     }
 
     return this.db.prepare(query).run(...params);
@@ -420,9 +419,7 @@ export class DbService {
   deleteTasksOlderThan(days: number) {
     return this.db
       .prepare(
-        'DELETE FROM tasks WHERE created_at < datetime("now", "-' +
-          days +
-          ' days")',
+        `DELETE FROM tasks WHERE created_at < datetime('now', '-${days} days')`,
       )
       .run();
   }

apps/web/src/lib/api.ts

@@ -1,5 +1,16 @@
-// API_BASE now uses relative path for proxy, or falls back to direct API URL
-export const API_BASE = process.env.NEXT_PUBLIC_WATCH_FINISHED_API || "/api";
+// Prefer explicit API host when provided, but avoid leaking localhost to remote clients
+const envApi = process.env.NEXT_PUBLIC_WATCH_FINISHED_API;
+const isBrowser = typeof window !== "undefined";
+const isLocalEnv =
+  envApi?.includes("localhost") || envApi?.includes("127.0.0.1");
+const isLocalHost = !isBrowser
+  ? true
+  : window.location.hostname === "localhost" ||
+    window.location.hostname === "127.0.0.1";
+
+// If env points at localhost but the page is served from a non-local host, fall back to relative /api
+export const API_BASE =
+  envApi && (!isLocalEnv || isLocalHost) ? envApi : "/api";
 
 function buildUrl(path: string, params?: any) {
   // If API_BASE starts with http, use it as absolute URL
@@ -9,7 +20,10 @@ function buildUrl(path: string, params?: any) {
 
   const url = base
     ? new URL(fullPath, base)
-    : new URL(fullPath, window.location.origin);
+    : new URL(
+        fullPath,
+        isBrowser ? window.location.origin : "http://localhost:3000"
+      );
   if (params && typeof params === "object") {
     Object.entries(params).forEach(([k, v]) => {
       if (v !== undefined && v !== null) url.searchParams.append(k, String(v));

apps/web/src/lib/websocket.ts

@@ -7,8 +7,19 @@ class WebSocketService {
 
   connect(url?: string) {
     // Use relative path for proxy support, or explicit URL if provided
+    const envApi = process.env.NEXT_PUBLIC_WATCH_FINISHED_API;
+    const isLocalEnv =
+      envApi?.includes("localhost") || envApi?.includes("127.0.0.1");
+    const isBrowser = typeof window !== "undefined";
+    const hostIsLocal =
+      !isBrowser ||
+      window.location.hostname === "localhost" ||
+      window.location.hostname === "127.0.0.1";
+
+    // Use env API when provided and not pointing at localhost from a remote page; otherwise, stick to current origin.
     const defaultUrl =
-      process.env.NEXT_PUBLIC_WATCH_FINISHED_API || window.location.origin;
+      envApi && (!isLocalEnv || hostIsLocal) ? envApi : window.location.origin;
+
     const wsUrl = url || defaultUrl;
 
     if (this.socket?.connected) {