fix(backend): use public MinIO origin for browser uploads

Backend/index.ts

@@ -21,7 +21,7 @@ import opsRoutes from './routes/ops';
 import { rateLimit } from './middleware/security';
 import { requestContext } from './middleware/observability';
 import { setupRealtimeGateway } from './realtime/gateway';
-import { ensureMinioBucket } from './utils/minio';
+import { ensureMinioBucket, minioPublicOrigin } from './utils/minio';
 import { startRecordingsWorker } from './workers/recordings';
 import { startPushWorker } from './services/push';
 
@@ -35,31 +35,8 @@ const corsMiddleware = cors({
   credentials: true,
 });
 
-const buildMinioConnectOrigin = (): string | null => {
-  const endpoint = process.env.MINIO_ENDPOINT?.trim();
-  if (!endpoint) {
-    return null;
-  }
-
-  if (endpoint.startsWith('http://') || endpoint.startsWith('https://')) {
-    try {
-      return new URL(endpoint).origin;
-    } catch {
-      return null;
-    }
-  }
-
-  const useSSL = (process.env.MINIO_USE_SSL ?? 'false').toLowerCase() === 'true';
-  const port = Number(process.env.MINIO_PORT ?? (useSSL ? 443 : 80));
-  const scheme = useSSL ? 'https' : 'http';
-  const includePort = !(useSSL && port === 443) && !(!useSSL && port === 80);
-
-  return `${scheme}://${endpoint}${includePort ? `:${port}` : ''}`;
-};
-
-const minioConnectOrigin = buildMinioConnectOrigin();
-const connectSrcDirectives = ["'self'", 'cdn.jsdelivr.net', ...(minioConnectOrigin ? [minioConnectOrigin] : [])];
-const mediaSrcDirectives = ["'self'", 'blob:', 'data:', ...(minioConnectOrigin ? [minioConnectOrigin] : [])];
+const connectSrcDirectives = ["'self'", 'cdn.jsdelivr.net', ...(minioPublicOrigin ? [minioPublicOrigin] : [])];
+const mediaSrcDirectives = ["'self'", 'blob:', 'data:', ...(minioPublicOrigin ? [minioPublicOrigin] : [])];
 
 app.get('/', (_req, res) => {
   res.send('API is running');