fix: read CORS allowedOrigins from SERVER_ORIGIN env var instead of hardcoding

Replace hardcoded ['http://localhost:3000'] with getAllowedOrigins() helper
that reads SERVER_ORIGIN from the env/config system. Falls back to
localhost for local dev when SERVER_ORIGIN is not set.

Also fixes the pre-existing hardcoded value in BucketProvisionerPreset.

Author: pyramation

graphile/graphile-settings/src/presets/constructive-preset.ts

@@ -19,7 +19,7 @@ import { PresignedUrlPreset } from 'graphile-presigned-url-plugin';
 import { BucketProvisionerPreset } from 'graphile-bucket-provisioner-plugin';
 import { SqlExpressionValidatorPreset } from 'graphile-sql-expression-validator';
 import { constructiveUploadFieldDefinitions } from '../upload-resolver';
-import { getPresignedUrlS3Config, createBucketNameResolver, createEnsureBucketProvisioned } from '../presigned-url-resolver';
+import { getPresignedUrlS3Config, createBucketNameResolver, createEnsureBucketProvisioned, getAllowedOrigins } from '../presigned-url-resolver';
 import { getBucketProvisionerConnection } from '../bucket-provisioner-resolver';
 
 /**
@@ -93,11 +93,11 @@ export const ConstructivePreset: GraphileConfig.Preset = {
     PresignedUrlPreset({
       s3: getPresignedUrlS3Config,
       resolveBucketName: createBucketNameResolver(),
-      ensureBucketProvisioned: createEnsureBucketProvisioned(['http://localhost:3000']),
+      ensureBucketProvisioned: createEnsureBucketProvisioned(),
     }),
     BucketProvisionerPreset({
       connection: getBucketProvisionerConnection,
-      allowedOrigins: ['http://localhost:3000'],
+      allowedOrigins: getAllowedOrigins(),
     }),
     SqlExpressionValidatorPreset(),
     PgTypeMappingsPreset,

graphile/graphile-settings/src/presigned-url-resolver.ts

@@ -84,6 +84,19 @@ export function createBucketNameResolver(): BucketNameResolver {
   };
 }
 
+/**
+ * Resolve CORS allowed origins from the env/config system.
+ *
+ * Reads SERVER_ORIGIN from the standard env hierarchy
+ * (pgpmDefaults → config file → env vars) and wraps it in an array.
+ * Falls back to ['http://localhost:3000'] for local development.
+ */
+export function getAllowedOrigins(): string[] {
+  const { server } = getEnvOptions();
+  if (server?.origin) return [server.origin];
+  return ['http://localhost:3000'];
+}
+
 /**
  * Create a lazy bucket provisioner callback for the presigned URL plugin.
  *
@@ -92,13 +105,10 @@ export function createBucketNameResolver(): BucketNameResolver {
  * (Block Public Access, CORS, policies, lifecycle rules for temp buckets).
  *
  * Uses the same S3 connection config as the bucket provisioner plugin
- * (getBucketProvisionerConnection) and the same CORS origins.
- *
- * @param allowedOrigins - CORS origins for presigned URL uploads
+ * (getBucketProvisionerConnection) and reads CORS origins from
+ * SERVER_ORIGIN env var (falls back to localhost for local dev).
  */
-export function createEnsureBucketProvisioned(
-  allowedOrigins: string[],
-): EnsureBucketProvisioned {
+export function createEnsureBucketProvisioned(): EnsureBucketProvisioned {
   let provisioner: BucketProvisioner | null = null;
 
   return async (
@@ -109,7 +119,7 @@ export function createEnsureBucketProvisioned(
     if (!provisioner) {
       provisioner = new BucketProvisioner({
         connection: getBucketProvisionerConnection(),
-        allowedOrigins,
+        allowedOrigins: getAllowedOrigins(),
       });
     }