fix: use relative API URLs and allow any LAN IP for CORS

apps/Backend/src/app.ts

@@ -39,19 +39,16 @@ function isOriginAllowed(origin?: string | null) {
   if (!origin) return true; // allow non-browser clients (curl/postman)
 
   if (NODE_ENV !== "production") {
-    // Dev mode: allow localhost origins automatically
+    // Dev mode: allow localhost and any private LAN range
     if (
       origin.startsWith("http://localhost") ||
       origin.startsWith("http://127.0.0.1") ||
-      origin.startsWith("http://192.168.0.240")
+      /^https?:\/\/10\.\d+\.\d+\.\d+/.test(origin) ||
+      /^https?:\/\/172\.(1[6-9]|2\d|3[01])\.\d+\.\d+/.test(origin) ||
+      /^https?:\/\/192\.168\.\d+\.\d+/.test(origin)
     )
       return true;
-    // allow explicit FRONTEND_URLS if provided
     if (FRONTEND_URLS.includes(origin)) return true;
-    // optionally allow the server's LAN IP if FRONTEND_LAN_IP is provided
-    const lanIp = process.env.FRONTEND_LAN_IP;
-    if (lanIp && origin.startsWith(`http://${lanIp}`)) return true;
-    // fallback: deny if not matched
     return false;
   }
 

apps/Frontend/.env

@@ -1,4 +1,4 @@
 NODE_ENV=development
 HOST=0.0.0.0
 PORT=3000
-VITE_API_BASE_URL_BACKEND=http://localhost:5000
+VITE_API_BASE_URL_BACKEND=