Fix ALLOWED_ORIGINS to accept comma-separated string

backend/app/core/config.py

@@ -17,11 +17,18 @@ class Settings(BaseSettings):
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
     
-    # CORS
-    ALLOWED_ORIGINS: List[str] = ["http://localhost:5173", "http://localhost:3000"]
+    # CORS - accepts either comma-separated string or JSON array
+    ALLOWED_ORIGINS: str = "http://localhost:5173,http://localhost:3000"
     
     class Config:
         env_file = ".env"
         case_sensitive = True
+    
+    @property
+    def cors_origins(self) -> List[str]:
+        """Parse ALLOWED_ORIGINS into a list."""
+        if isinstance(self.ALLOWED_ORIGINS, str):
+            return [origin.strip() for origin in self.ALLOWED_ORIGINS.split(',')]
+        return self.ALLOWED_ORIGINS
 
 settings = Settings()