Allow all origins by default, restrict only when ALLOWED_ORIGINS is set

Same-origin requests don't need CORS restrictions. Users can optionally
set ALLOWED_ORIGINS to lock it down.

docker-compose.yml

@@ -7,7 +7,7 @@ services:
     environment:
       - NODE_ENV=production
       - JWT_SECRET=${JWT_SECRET:-change-me-to-a-long-random-string}
-      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-http://localhost:3000}
+      # - ALLOWED_ORIGINS=https://yourdomain.com  # Optional: restrict CORS to specific origins
       - PORT=3000
     volumes:
       - ./data:/app/data

server/src/index.js

@@ -21,12 +21,14 @@ const tmpDir = path.join(__dirname, '../data/tmp');
 // Middleware
 const allowedOrigins = process.env.ALLOWED_ORIGINS
   ? process.env.ALLOWED_ORIGINS.split(',')
-  : ['http://localhost:5173', 'http://localhost:3000'];
+  : null;
 app.use(cors({
-  origin: (origin, callback) => {
-    if (!origin || allowedOrigins.includes(origin)) callback(null, true);
-    else callback(new Error('Not allowed by CORS'));
-  },
+  origin: allowedOrigins
+    ? (origin, callback) => {
+        if (!origin || allowedOrigins.includes(origin)) callback(null, true);
+        else callback(new Error('Not allowed by CORS'));
+      }
+    : true,
   credentials: true
 }));
 app.use(express.json());