Fix: Resolve production CORS issues by moving CorsMiddleware before TenantMainMiddleware

Root cause: CorsMiddleware was positioned after TenantMainMiddleware, which
prevented CORS headers from being set. The tenant middleware processes requests
before CORS middleware could add the necessary headers.

Changes:
- Moved CorsMiddleware to first position in MIDDLEWARE stack
- Added CORS_ALLOW_ALL_ORIGINS configuration (for testing only)
- Updated production CORS regex to match both base and subdomains
- Created public tenant and registered production domains
- Re-enabled CORS_URLS_REGEX for API security

This fix ensures proper CORS headers are sent for cross-origin requests from
smoothschedule.com domains to api.smoothschedule.com.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

smoothschedule/config/settings/base.py

@@ -317,6 +317,9 @@ CORS_URLS_REGEX = r"^/(api|auth)/.*$"
 from corsheaders.defaults import default_headers
 
 # CORS allowed origins (configurable via environment variables)
+# WARNING: CORS_ALLOW_ALL_ORIGINS should only be used for testing!
+CORS_ALLOW_ALL_ORIGINS = env.bool("DJANGO_CORS_ALLOW_ALL_ORIGINS", default=False)
+
 # For development: set in .env as comma-separated values
 # For production: set DJANGO_CORS_ALLOWED_ORIGINS env var
 CORS_ALLOWED_ORIGINS = env.list(

smoothschedule/config/settings/multitenancy.py

@@ -88,13 +88,15 @@ DATABASE_ROUTERS = [
 # CRITICAL: Order matters!
 
 MIDDLEWARE = [
-    # 1. MUST BE FIRST: Tenant resolution
+    # 0. CORS must be first to set headers before tenant resolution
+    'corsheaders.middleware.CorsMiddleware',
+
+    # 1. Tenant resolution
     'django_tenants.middleware.main.TenantMainMiddleware',
 
     # 2. Security middleware
     'django.middleware.security.SecurityMiddleware',
     'csp.middleware.CSPMiddleware',
-    'corsheaders.middleware.CorsMiddleware',  # Moved up for better CORS handling
     'whitenoise.middleware.WhiteNoiseMiddleware',
 
     # 3. Session & CSRF