From 436e81ecc9159fd3f2849d538f2122d92342e042 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carl-Gerhard=20Lindesva=CC=88rd?= <lindesvard@gmail.com>
Date: Fri, 10 Oct 2025 15:42:52 +0200
Subject: [PATCH] fix(api): allow multiple cors origins

---
 apps/api/src/index.ts | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index f6f429b5..e960f0d9 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -93,8 +93,19 @@ const startServer = async () => {
         );
 
         if (isPrivatePath) {
+          // Allow multiple dashboard domains
+          const allowedOrigins = [
+            process.env.NEXT_PUBLIC_DASHBOARD_URL,
+            ...(process.env.API_CORS_ORIGINS?.split(',') ?? []),
+          ].filter(Boolean);
+
+          const origin = req.headers.origin;
+          const isAllowed = origin && allowedOrigins.includes(origin);
+
+          logger.info('Allowed origins', { allowedOrigins, origin, isAllowed });
+
           return callback(null, {
-            origin: process.env.NEXT_PUBLIC_DASHBOARD_URL,
+            origin: isAllowed ? origin : false,
             credentials: true,
           });
         }