Phase 1-2 of server consolidation + security hardening

inventory-server/shared/cors/policy.js

@@ -0,0 +1,24 @@
+export const allowedOrigins = [
+  'https://tools.acherryontop.com',
+  'https://inventory.kent.pw',
+  'https://acot.site',
+  /^http:\/\/localhost:(5174|5175)$/,
+];
+
+export const corsOptions = {
+  origin(origin, callback) {
+    if (!origin) return callback(null, true);
+    const ok = allowedOrigins.some((allowed) =>
+      allowed instanceof RegExp ? allowed.test(origin) : allowed === origin
+    );
+    if (ok) return callback(null, true);
+    callback(new Error('CORS not allowed'));
+  },
+  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization'],
+  exposedHeaders: ['Content-Type'],
+  credentials: true,
+  maxAge: 600,
+};
+
+export default corsOptions;