fix: Use CORS_ORIGIN env var in allowed origins list

- Add corsOrigin from config to allowedOrigins array - Log warning when CORS blocks an origin (helps debugging)
2026-02-09 11:00:38 -04:00
parent 10de6fa630
commit 31419f49b1
1 changed files with 4 additions and 2 deletions
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -27,17 +27,19 @@ async function bootstrap(): Promise<void> {
  app.use(helmet());
  app.use(compression());

-  // CORS configuration - Allow multiple origins for local development
+  // CORS configuration - Allow configured origin plus local development origins
  const allowedOrigins = [
+    corsOrigin,
    'http://localhost:4200',
    'http://localhost:3000',
    'http://localhost:8080',
-  ];
+  ].filter(Boolean);
  app.enableCors({
    origin: (origin, callback) => {
      if (!origin || allowedOrigins.includes(origin)) {
        callback(null, true);
      } else {
+        logger.warn(`CORS blocked origin: ${origin}. Allowed: ${allowedOrigins.join(', ')}`);
        callback(null, false);
      }
    },