From ae7003d3faaae4a9797321e87d6bbbd6a4ec3dd9 Mon Sep 17 00:00:00 2001
From: Tiago Yamamoto <tiago.ribeiro@inventcloud.com.br>
Date: Wed, 24 Dec 2025 00:03:52 -0300
Subject: [PATCH] feat(backoffice): add CORS_ORIGINS env var support

---
 backend/.env.example    | 5 +----
 backoffice/.env.example | 3 +++
 backoffice/src/main.ts  | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/backend/.env.example b/backend/.env.example
index dd22d44..be99c9c 100755
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -27,10 +27,7 @@ BACKEND_HOST=localhost:8521
 ENV=development
 
 # CORS Origins (comma-separated)
-# Development:
-# CORS_ORIGINS=http://localhost:3000,http://localhost:8963
-# Production:
-CORS_ORIGINS=https://gohorsejobs.com,https://gohorsejobs-dev.appwrite.network,https://api-dev2.gohorsejobs.com
+CORS_ORIGINS=http://localhost:3000,http://localhost:8963
 
 # =============================================================================
 # Cloudflare API (for cache management)
diff --git a/backoffice/.env.example b/backoffice/.env.example
index dbd1ca0..78df283 100644
--- a/backoffice/.env.example
+++ b/backoffice/.env.example
@@ -7,6 +7,9 @@ BACKOFFICE_PORT=3001
 BACKOFFICE_HOST=0.0.0.0
 NODE_ENV=development
 
+# CORS Origins (comma-separated)
+CORS_ORIGINS=https://gohorsejobs.com,https://gohorsejobs-dev.appwrite.network,https://api-dev2.gohorsejobs.com
+
 # =============================================================================
 # Stripe
 # =============================================================================
diff --git a/backoffice/src/main.ts b/backoffice/src/main.ts
index df0708e..1b7c1f8 100644
--- a/backoffice/src/main.ts
+++ b/backoffice/src/main.ts
@@ -38,12 +38,12 @@ async function bootstrap() {
   // CORS configuration (Fastify-native)
   app.enableCors({
     origin: (origin, callback) => {
+      // Parse CORS_ORIGINS from env (comma-separated)
+      const envOrigins = process.env.CORS_ORIGINS?.split(',').map(o => o.trim()) || [];
       const allowedOrigins = [
         'http://localhost:3000',
         'http://localhost:8963',
-        'https://gohorsejobs.com',
-        'https://admin.gohorsejobs.com',
-        process.env.FRONTEND_URL,
+        ...envOrigins,
       ].filter(Boolean);
 
       if (!origin || allowedOrigins.includes(origin)) {