v1.4 - Login fixes, etc

backend/app/core/config.py

@@ -2,6 +2,20 @@ import os
 from dataclasses import dataclass
 
 
+DEFAULT_CORS_ALLOW_ORIGIN_REGEX = (
+    r"^https?://("
+    r"localhost|127\.0\.0\.1|"
+    r"10\.\d{1,3}\.\d{1,3}\.\d{1,3}|"
+    r"192\.168\.\d{1,3}\.\d{1,3}|"
+    r"172\.(1[6-9]|2\d|3[0-1])\.\d{1,3}\.\d{1,3}"
+    r")(:\d+)?$"
+)
+
+
+def _parse_csv_env(value: str) -> tuple[str, ...]:
+    return tuple(part.strip() for part in value.split(",") if part.strip())
+
+
 @dataclass(frozen=True)
 class Settings:
     app_name: str
@@ -14,6 +28,8 @@ class Settings:
     admin_email: str
     admin_password: str
     auth_secret: str
+    cors_allow_origins: tuple[str, ...]
+    cors_allow_origin_regex: str
 
     @classmethod
     def from_env(cls) -> "Settings":
@@ -28,6 +44,13 @@ class Settings:
             admin_email=os.getenv("ADMIN_EMAIL", "admin@lean101.local"),
             admin_password=os.getenv("ADMIN_PASSWORD", "lean101-admin"),
             auth_secret=os.getenv("AUTH_SECRET", "lean-101-local-dev-secret"),
+            cors_allow_origins=_parse_csv_env(
+                os.getenv(
+                    "CORS_ALLOW_ORIGINS",
+                    "http://localhost:5173,http://localhost:5174,http://127.0.0.1:5173,http://127.0.0.1:5174",
+                )
+            ),
+            cors_allow_origin_regex=os.getenv("CORS_ALLOW_ORIGIN_REGEX", DEFAULT_CORS_ALLOW_ORIGIN_REGEX),
         )