fix: support comma-separated CORS_ORIGINS environment variable

Add NoDecode annotation to cors_origins field in Settings to properly parse comma-separated values from environment variables. Add test to verify CORS_ORIGINS accepts comma-separated list.

backend/app/core/config.py

@@ -1,7 +1,8 @@
 from functools import lru_cache
+from typing import Annotated
 
 from pydantic import field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic_settings import BaseSettings, NoDecode, SettingsConfigDict
 
 
 class Settings(BaseSettings):
@@ -13,7 +14,7 @@ class Settings(BaseSettings):
     jwt_secret_key: str
     settings_secret_key: str
     cookie_secure: bool = True
-    cors_origins: list[str] = ["http://localhost"]
+    cors_origins: Annotated[list[str], NoDecode] = ["http://localhost"]
     log_level: str = "INFO"
     default_timezone: str = "Europe/Vienna"
     daily_worker_interval_seconds: int = 300

backend/app/tests/test_security.py

@@ -1,3 +1,4 @@
+from app.core.config import Settings
 from app.core.security import hash_password, hash_token, verify_password
 
 
@@ -12,3 +13,13 @@ def test_tokens_are_hashed() -> None:
     assert hash_token("secret") == hash_token("secret")
     assert hash_token("secret") != "secret"
 
+
+def test_cors_origins_accept_comma_separated_env(monkeypatch) -> None:
+    monkeypatch.setenv("JWT_SECRET_KEY", "test-jwt-secret")
+    monkeypatch.setenv("SETTINGS_SECRET_KEY", "test-settings-secret")
+    monkeypatch.setenv("CORS_ORIGINS", "http://localhost,http://localhost:5173")
+
+    settings = Settings()
+
+    assert settings.cors_origins == ["http://localhost", "http://localhost:5173"]
+