fix: Use CORS function with regex for Vercel preview deployments

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: Datakult0r

backend/src/server.js

@@ -36,11 +36,27 @@ app.use(helmet());
 
 // CORS Configuration for Production
 const corsOptions = {
-  origin: [
-    'http://localhost:5173', // Local development
-    'https://ai-grant-crawler-a2a-pro.vercel.app', // Production frontend
-    'https://ai-grant-crawler-a2a-pro-*.vercel.app' // Vercel preview deployments
-  ],
+  origin: function (origin, callback) {
+    const allowedOrigins = [
+      'http://localhost:5173',
+      'https://ai-grant-crawler-a2a-pro.vercel.app'
+    ];
+
+    // Allow requests with no origin (like mobile apps or curl requests)
+    if (!origin) return callback(null, true);
+
+    // Check if origin is in allowed list
+    if (allowedOrigins.includes(origin)) {
+      return callback(null, true);
+    }
+
+    // Allow all Vercel preview deployments
+    if (origin.match(/^https:\/\/ai-grant-crawler-a2a-pro-.*\.vercel\.app$/)) {
+      return callback(null, true);
+    }
+
+    callback(new Error('Not allowed by CORS'));
+  },
   credentials: true,
   optionsSuccessStatus: 200
 };