oshankkkk · oshankkkk · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -8,12 +8,11 @@ ARG DB_URL
 ARG PORT
 ARG APP_ENV
 ARG CLERK_SECRET_KEY
-ARG CLIENT_URL
 
 COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -o /server ./cmd/server/
-
 FROM alpine:latest
+ENV CLIENT_URL=https://scintillating-commitment-production-2429.up.railway.app
 COPY --from=builder /server /server
 EXPOSE 8080
 CMD ["/server"]
diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
@@ -106,8 +106,9 @@ func main() {
 		w.WriteHeader(http.StatusOK)
 		fmt.Fprintln(w, "OK")
 	})
-	url:=requiredEnv("CLIENT_URL")
-	check(http.ListenAndServe(httpAddress(), corsmiddleware.CORS(mux,url)))
+	//url:=requiredEnv("CLIENT_URL")
+	check(http.ListenAndServe(httpAddress(), corsmiddleware.CORS(mux)))
+
 
 }
 func check(err error) {

diff --git a/backend/internal/middleware/cors/cors.go b/backend/internal/middleware/cors/cors.go
@@ -1,23 +1,24 @@
 package middleware
 
-import 
-("net/http"
-
+import (
+	"net/http"
+	"os"
+	"strings"
+	//"fmt"
+
 )
 
-func CORS(next http.Handler,url string) http.Handler {
-
+func CORS(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 
-		w.Header().Set("Access-Control-Allow-Origin", url)
+		origin := r.Header.Get("Origin")
 
-		w.Header().Set("Access-Control-Allow-Credentials", "true")
+	w.Header().Set("Access-Control-Allow-Origin", origin)
 
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
 		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
-
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS")
 
-		// preflight
 		if r.Method == http.MethodOptions {
 			w.WriteHeader(http.StatusOK)
 			return
@@ -26,3 +27,38 @@ func CORS(next http.Handler,url string) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func allowedOriginsFromEnv() map[string]struct{} {
+	origins := map[string]struct{}{}
+
+	for _, envKey := range []string{"CLIENT_URL", "CORS_ALLOWED_ORIGINS"} {
+		raw := strings.TrimSpace(os.Getenv(envKey))
+		if raw == "" {
+			continue
+		}
+
+		for _, candidate := range strings.Split(raw, ",") {
+			origin := strings.TrimSpace(strings.TrimSuffix(candidate, "/"))
+			if origin == "" {
+				continue
+			}
+			origins[origin] = struct{}{}
+		}
+	}
+
+	if len(origins) == 0 {
+		origins["http://localhost:5173"] = struct{}{}
+	}
+
+	return origins
+}
+
+func isAllowedOrigin(origin string, allowed map[string]struct{}) bool {
+	if origin == "" {
+		return false
+	}
+
+	normalized := strings.TrimSuffix(strings.TrimSpace(origin), "/")
+	_, ok := allowed[normalized]
+	return ok
+}