From 033cec29f1e6e90a1ddeb1f55909c057c903afbb Mon Sep 17 00:00:00 2001
From: Nguyen Quang Huy <trannguyenhan01092000@gmail.com>
Date: Sat, 11 Apr 2026 16:11:26 +0700
Subject: [PATCH] fix cors

---
 server.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/server.js b/server.js
index 2a187ad..07f84b0 100644
--- a/server.js
+++ b/server.js
@@ -131,10 +131,19 @@ app.use((req, res, next) => {
 app.use((req, res, next) => {
     // Allow requests from configured FRONTEND_URL or allow all if not set
     const origin = req.headers.origin;
-    const allowedOrigin = FRONTEND_URL || "*";
+    
+    // Support multiple frontend URLs (dev and production)
+    const allowedOrigins = [
+        FRONTEND_URL,
+        "http://dev.hailearning.edu.vn",
+        "https://www.hailearning.edu.vn",
+        "http://www.hailearning.edu.vn"
+    ].filter(Boolean); // Remove undefined/empty values
 
-    if (allowedOrigin === "*" || origin === allowedOrigin) {
-        res.setHeader("Access-Control-Allow-Origin", allowedOrigin === "*" ? "*" : origin);
+    const isOriginAllowed = allowedOrigins.includes(origin) || !FRONTEND_URL;
+    
+    if (isOriginAllowed) {
+        res.setHeader("Access-Control-Allow-Origin", origin || "*");
         res.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
         res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
         res.setHeader("Access-Control-Allow-Credentials", "true");