()
| 31 | } |
| 32 | |
| 33 | export function getAllowedAuthCorsOrigins(): string[] { |
| 34 | const appUrl = process.env.APP_URL?.trim() |
| 35 | if (!appUrl) return [] |
| 36 | try { |
| 37 | return [new URL(appUrl).origin.toLowerCase()] |
| 38 | } catch { |
| 39 | return [] |
| 40 | } |
| 41 | } |
| 42 | |
| 43 | // Endpoints that issue or refresh session tokens — must not accept wildcard origins |
| 44 | const SESSION_ENDPOINTS = [ |