fix: allow configurable CSRF/CORS origins via env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: PttCodingMan

.env.example

@@ -10,6 +10,9 @@ MEDIA_DIR=./data/media
 
 # ── Security ──
 COOKIE_SECURE=false  # Set to true in production with HTTPS
+# Extra origins allowed for CSRF/CORS (comma-separated). localhost:5173 and
+# localhost:3000 are always allowed. Set your public URL here in prod.
+ALLOWED_ORIGINS=
 
 # ── Frontend ──
 VITE_API_URL=http://localhost:8000

backend/app/config.py

@@ -14,6 +14,11 @@ class Settings(BaseSettings):
     VITE_API_URL: str = "http://localhost:8000"
     COOKIE_SECURE: bool = False  # Set to True in production with HTTPS
 
+    # Comma-separated list of origins allowed for CSRF/CORS on top of the
+    # always-included localhost dev origins. Set this to your public URL(s)
+    # in production, e.g. "https://wiki.example.com".
+    ALLOWED_ORIGINS: str = ""
+
     # ── AI chat (optional, OpenAI-compatible) ──
     # Default targets Gemini's OpenAI-compatible endpoint, but any provider
     # that speaks the same wire format works (OpenAI, Ollama, Groq, DeepSeek…).

backend/app/main.py

@@ -13,7 +13,9 @@
 
 logger = logging.getLogger("justwiki")
 
-_ALLOWED_ORIGINS = {"http://localhost:5173", "http://localhost:3000"}
+_ALLOWED_ORIGINS = {"http://localhost:5173", "http://localhost:3000"} | {
+    o.strip() for o in settings.ALLOWED_ORIGINS.split(",") if o.strip()
+}
 _SAFE_METHODS = {"GET", "HEAD", "OPTIONS"}
 _CSRF_EXEMPT_PATHS = {"/api/auth/login", "/api/auth/logout"}