fix: CORS origin validation and public API URL for frontend

- Fix CORS to properly validate origin against ALLOWED_ORIGINS list
  (required for credentials: include to work)
- Change ALLOWED_ORIGINS from '*' to explicit domain list
- Note: .env NEXT_PUBLIC_API_URL should use https://vid.k9tech.space/api
  (not localhost) for browser access from other machines

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -57,7 +57,7 @@ services:
       NODE_ENV: production
       UPLOAD_DIR: /app/uploads
       MAX_FILE_SIZE_MB: 500
-      ALLOWED_ORIGINS: '*'
+      ALLOWED_ORIGINS: 'https://vid.k9tech.space,http://vid.k9tech.space'
       FRONTEND_URL: https://vid.k9tech.space
       RESEND_API_KEY: ${RESEND_API_KEY:-}
     ports:

packages/api/src/index.ts

@@ -16,10 +16,11 @@ const app = express();
 const PORT = process.env.API_PORT || 3001;
 
 // ── Middleware ────────────────────────────────────────────────────────────────
-const allowedOrigins = process.env.ALLOWED_ORIGINS || '';
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || '').split(',').filter(Boolean);
 app.use(cors({
   origin: (origin, callback) => {
-    if (!origin || allowedOrigins === '*' || allowedOrigins.split(',').includes(origin)) {
+    // Allow if: no origin (server-side), OR '*', OR origin is in allowed list
+    if (!origin || allowedOrigins.includes('*') || allowedOrigins.includes(origin)) {
       callback(null, true);
     } else {
       callback(new Error(`Origin ${origin} not allowed by CORS policy`));