CORS origin callback strips trailing slashes, logs allowed origin at startup
A one-commit change in Maison-Retail-Management-International/mike swaps Express's static CORS origin string for a callback that normalizes trailing slashes before comparing. Small, self-contained, and fixes a silent misconfiguration failure mode.
The original code passed process.env.FRONTEND_URL ?? "http://localhost:3000" directly to cors({ origin: ... }). If FRONTEND_URL was set with a trailing slash, that string never matched any browser-sent origin (browsers omit trailing slashes), so every cross-origin request was blocked with no obvious error.
Commit a2a1cb2 fixes this by pre-computing frontendUrl with .replace(/\/$/, "") applied to the env value, then using a callback that normalizes the incoming origin the same way before comparing. Requests with no Origin header pass through (standard behavior for non-browser clients). Anything else that doesn't match gets new Error('CORS blocked origin: ${origin}'). A startup log line prints CORS allowed origin: ${frontendUrl} so deployment misconfigurations surface immediately.
The change is 18 lines added in two files: backend/src/index.ts and a comment added to backend/.env.example pointing to the production workers.dev URL.
One constraint to note: it only supports a single allowed origin. If you need multiple allowed origins, you'd extend the callback with an array check.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?