fix: harden ALLOWED_ORIGINS parsing to avoid lockout on empty values

Author: adityapichikala

backend/server.js

@@ -15,9 +15,10 @@ const app = express();
 
 // CORS configuration — allowed origins are read from the ALLOWED_ORIGINS env var
 // (comma-separated). Falls back to localhost for local development.
-const allowedOrigins = process.env.ALLOWED_ORIGINS
-    ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim())
-    : ['http://localhost:5173'];
+const parsedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(',').map(origin => origin.trim()).filter(Boolean)
+    : [];
+const allowedOrigins = parsedOrigins.length > 0 ? parsedOrigins : ['http://localhost:5173'];
 
 app.use(cors({
     origin: function (origin, callback) {