From 6d83d89073f19fcb47a385b10e3b8b27e57a4e9f Mon Sep 17 00:00:00 2001
From: jessikitty <jess.rogerson.29@outlook.com>
Date: Mon, 26 Jan 2026 22:17:18 +1100
Subject: [PATCH] Fix ALLOWED_ORIGINS to accept comma-separated string

---
 backend/app/core/config.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/backend/app/core/config.py b/backend/app/core/config.py
index 622172a..c0dab43 100644
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -17,11 +17,18 @@ class Settings(BaseSettings):
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
     
-    # CORS
-    ALLOWED_ORIGINS: List[str] = ["http://localhost:5173", "http://localhost:3000"]
+    # CORS - accepts either comma-separated string or JSON array
+    ALLOWED_ORIGINS: str = "http://localhost:5173,http://localhost:3000"
     
     class Config:
         env_file = ".env"
         case_sensitive = True
+    
+    @property
+    def cors_origins(self) -> List[str]:
+        """Parse ALLOWED_ORIGINS into a list."""
+        if isinstance(self.ALLOWED_ORIGINS, str):
+            return [origin.strip() for origin in self.ALLOWED_ORIGINS.split(',')]
+        return self.ALLOWED_ORIGINS
 
 settings = Settings()