Refactor CORS configuration to ensure allowed origins are fully qualified URLs for better compatibility

Author: LXMachado

backend/config/cors.php

@@ -19,11 +19,40 @@
 
     'allowed_methods' => ['*'],
 
-    'allowed_origins' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
-        '%s%s',
-        'localhost,localhost:3000,localhost:3001,127.0.0.1,127.0.0.1:8000,::1',
-        Laravel\Sanctum\Sanctum::currentApplicationUrlWithPort()
-    ))),
+    /*
+    |--------------------------------------------------------------------------
+    | Allowed Origins
+    |--------------------------------------------------------------------------
+    |
+    | Sanctum stores stateful domains as host names (without a scheme), but the
+    | CORS layer expects fully qualified origins. Converting the configured
+    | domains to http/https origins keeps credentialed requests working in
+    | local development while still allowing overrides through the env file.
+    |
+    */
+    'allowed_origins' => array_map(
+        static function (string $domain): string {
+            $trimmed = trim($domain);
+            if ($trimmed === '') {
+                return $trimmed;
+            }
+
+            if (str_contains($trimmed, '://')) {
+                return $trimmed;
+            }
+
+            if ($trimmed === '::1') {
+                return 'http://[::1]';
+            }
+
+            return sprintf('http://%s', $trimmed);
+        },
+        array_filter(explode(',', env('CORS_ALLOWED_ORIGINS', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
+            '%s,%s',
+            'localhost,localhost:3000,localhost:3001,127.0.0.1,127.0.0.1:3000,127.0.0.1:8000,::1',
+            Laravel\Sanctum\Sanctum::currentApplicationUrlWithPort()
+        )))))
+    ),
 
     'allowed_origins_patterns' => [],
 
@@ -35,4 +64,4 @@
 
     'supports_credentials' => true,
 
-];
+];