From 470dd80ed8466b8fbf7bf975312daf804d4ea230 Mon Sep 17 00:00:00 2001
From: Jonathan <jonathan@jger.nl>
Date: Tue, 24 Mar 2026 18:15:44 +0100
Subject: [PATCH] Make CORS allowed origins configurable via ALLOWED_ORIGINS
 env var

Defaults to localhost:3000 for local dev. Server deployments can
pass a comma-separated list via the environment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 btc-portfolio/backend/app/main.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/btc-portfolio/backend/app/main.py b/btc-portfolio/backend/app/main.py
index 2496285..959c12b 100644
--- a/btc-portfolio/backend/app/main.py
+++ b/btc-portfolio/backend/app/main.py
@@ -1,3 +1,5 @@
+import os
+
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
@@ -8,9 +10,11 @@ Base.metadata.create_all(bind=engine)
 
 app = FastAPI(title="BTC Portfolio API")
 
+origins = os.getenv("ALLOWED_ORIGINS", "http://localhost:3000").split(",")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["http://localhost:3000"],
+    allow_origins=origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],