fix(GRO-622): security hardening for auth, authorization, and token handling

- Remove placeholder secret fallback in AUTH_DISABLED mode (auth.ts)
- Make auth-provider setup atomic via DB transaction (setup.ts)
- Fix confirmation token replay with atomic UPDATE...WHERE (book.ts)
- Add strict CORS origin allowlist validation (index.ts)
- Validate OIDC discovery URL hostname matches issuer (auth.ts)
- Use timingSafeEqual for iCal token comparison (calendar.ts)
- Add in-memory rate limiting to setup endpoints (setup.ts)
- Keep RBAC error message correct (rbac.ts - already correct in main)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/index.ts

@@ -33,11 +33,26 @@ import { webhooksRouter } from "./routes/stripe-webhooks.js";
 const app = new Hono();
 
 // Global middleware
+const TRUSTED_ORIGINS = (process.env.CORS_ORIGIN ?? "http://localhost:5173")
+  .split(",")
+  .map((o) => o.trim());
+
+const ALLOWED_ORIGIN = process.env.CORS_ORIGIN ?? "http://localhost:5173";
+
 app.use("*", logger());
 app.use(
   "/api/*",
   cors({
-    origin: process.env.CORS_ORIGIN ?? "http://localhost:5173",
+    origin: (origin, ctx) => {
+      if (!origin) {
+        return ALLOWED_ORIGIN;
+      }
+      if (TRUSTED_ORIGINS.includes(origin)) {
+        return origin;
+      }
+      ctx.status(403);
+      return null;
+    },
     credentials: true,
   })
 );