server.js

@@ -131,10 +131,19 @@ app.use((req, res, next) => {
 app.use((req, res, next) => {
     // Allow requests from configured FRONTEND_URL or allow all if not set
     const origin = req.headers.origin;
-    const allowedOrigin = FRONTEND_URL || "*";
+    
+    // Support multiple frontend URLs (dev and production)
+    const allowedOrigins = [
+        FRONTEND_URL,
+        "http://dev.hailearning.edu.vn",
+        "https://www.hailearning.edu.vn",
+        "http://www.hailearning.edu.vn"
+    ].filter(Boolean); // Remove undefined/empty values
 
-    if (allowedOrigin === "*" || origin === allowedOrigin) {
-        res.setHeader("Access-Control-Allow-Origin", allowedOrigin === "*" ? "*" : origin);
+    const isOriginAllowed = allowedOrigins.includes(origin) || !FRONTEND_URL;
+    
+    if (isOriginAllowed) {
+        res.setHeader("Access-Control-Allow-Origin", origin || "*");
         res.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
         res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
         res.setHeader("Access-Control-Allow-Credentials", "true");