From 31419f49b15e11b39dec882696ca599a5804e4e1 Mon Sep 17 00:00:00 2001
From: Mahi <Mahi-Workspace@Pro.local>
Date: Mon, 9 Feb 2026 11:00:38 -0400
Subject: [PATCH] fix: Use CORS_ORIGIN env var in allowed origins list

- Add corsOrigin from config to allowedOrigins array
- Log warning when CORS blocks an origin (helps debugging)
---
 backend/src/main.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/backend/src/main.ts b/backend/src/main.ts
index 6070011..7ed5cf5 100644
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -27,17 +27,19 @@ async function bootstrap(): Promise<void> {
   app.use(helmet());
   app.use(compression());
 
-  // CORS configuration - Allow multiple origins for local development
+  // CORS configuration - Allow configured origin plus local development origins
   const allowedOrigins = [
+    corsOrigin,
     'http://localhost:4200',
     'http://localhost:3000',
     'http://localhost:8080',
-  ];
+  ].filter(Boolean);
   app.enableCors({
     origin: (origin, callback) => {
       if (!origin || allowedOrigins.includes(origin)) {
         callback(null, true);
       } else {
+        logger.warn(`CORS blocked origin: ${origin}. Allowed: ${allowedOrigins.join(', ')}`);
         callback(null, false);
       }
     },