feat: Support multiple CORS origins and enhance origin validation

- Updated `fly.toml` to allow multiple CORS origins.
- Refactored CORS logic in `index.ts` to validate and support multiple origins, including handling requests with no origin.

backend/src/index.ts

@@ -40,8 +40,23 @@ const fastify = Fastify({
 });
 
 // Register plugins
+// Support multiple origins for CORS
+const allowedOrigins = env.CORS_ORIGIN.split(',').map(o => o.trim());
 fastify.register(cors, {
-  origin: env.CORS_ORIGIN,
+  origin: (origin, cb) => {
+    // Allow requests with no origin (like mobile apps or curl)
+    if (!origin) {
+      cb(null, true);
+      return;
+    }
+
+    // Check if origin is in allowed list
+    if (allowedOrigins.some(allowed => origin === allowed || origin.endsWith(allowed))) {
+      cb(null, true);
+    } else {
+      cb(new Error('Not allowed by CORS'), false);
+    }
+  },
   credentials: true,
 });