Remove hardcoded domain from CORS, add configurable ALLOWED_ORIGIN env var

backend/server.js

@@ -105,17 +105,21 @@ app.use(helmet({
   hidePoweredBy: true
 }));
 
-// CORS configuration to allow local network and HTTPS domain
+// CORS configuration to allow local network and custom domain
 const allowedOrigins = [
   'http://localhost:12345',
   'http://localhost:9000',
-  'https://tv.iulian.uk',
-  'http://tv.iulian.uk',
   /^http:\/\/192\.168\.\d{1,3}\.\d{1,3}(:\d+)?$/, // Local network 192.168.x.x
   /^http:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}(:\d+)?$/, // Local network 10.x.x.x
   /^http:\/\/172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}(:\d+)?$/ // Local network 172.16-31.x.x
 ];
 
+// Add custom domain origins from environment variable
+if (process.env.ALLOWED_ORIGIN) {
+  const customOrigins = process.env.ALLOWED_ORIGIN.split(',').map(o => o.trim());
+  allowedOrigins.push(...customOrigins);
+}
+
 // Mount logo-proxy BEFORE global CORS to handle public image serving
 app.use('/api/logo-proxy', require('./routes/logo-proxy'));
 

docker-compose.yml

@@ -2,7 +2,8 @@
 
 services:
   streamflow:
-    image: aiulian25/streamflow:latest
+    build: .
+    image: tv-streamflow
     container_name: streamflow
     restart: unless-stopped
     ports:
@@ -13,10 +14,11 @@ services:
       - PORT=12345
       - DB_PATH=/app/data/streamflow.db
       - JWT_SECRET=${JWT_SECRET:-change_this_in_production}
-      - SESSION_SECRET=${SESSION_SECRET:-change_this_in_production}
+      - SESSION_SECRET=${SESSION_SESSION:-change_this_in_production}
       - DISABLE_SIGNUPS=true
       - MAX_RECORDING_SIZE=100GB
       - ENABLE_GPU=${ENABLE_GPU:-false}
+      - ALLOWED_ORIGIN=${ALLOWED_ORIGIN:-https://your-domain.com,http://your-domain.com}
     volumes:
       - streamflow-data:/app/data
       - streamflow-logs:/app/logs