From f6e78f1a335b67d348f70e1739fcbb33725eca95 Mon Sep 17 00:00:00 2001
From: iDefineHD <purpleizlegitx@gmail.com>
Date: Sun, 11 Jan 2026 00:58:30 +0000
Subject: [PATCH] Allow CORS from both localhost and production domain

---
 index.js | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/index.js b/index.js
index 503a0e0..9146f4d 100644
--- a/index.js
+++ b/index.js
@@ -61,23 +61,30 @@ const createServer = () => {
  * Register plugins
  */
 const registerPlugins = async (fastify) => {
-  // CORS - Allow requests from file:// protocol for test client
+  // CORS - Allow both local development and production
   await fastify.register(fastifyCors, {
     origin: (origin, callback) => {
+      const allowedOrigins = [
+        "http://localhost:5173",
+        "http://127.0.0.1:5173",
+        "https://turbotrades.dev",
+        config.cors.origin,
+      ];
+
       // Allow requests from file:// protocol (local HTML files)
-      if (!origin || origin === "null" || origin === config.cors.origin) {
+      if (!origin || origin === "null") {
         callback(null, true);
         return;
       }
 
-      // In development, allow localhost on any port
+      // Allow localhost on any port in development
       if (config.isDevelopment && origin.includes("localhost")) {
         callback(null, true);
         return;
       }
 
-      // Otherwise, check if it matches configured origin
-      if (origin === config.cors.origin) {
+      // Check if origin is in allowed list
+      if (allowedOrigins.includes(origin)) {
         callback(null, true);
       } else {
         callback(new Error("Not allowed by CORS"), false);