removed duplicate reference of allowed_origin in env (bruh moment)

contact-api/src/turnstile.ts

@@ -7,6 +7,18 @@ type TurnstileVerifyResponse = {
   "error-codes"?: string[];
 };
 
+const normalizeHostname = (value: string): string =>
+  value
+    .trim()
+    .replace(/^['"]|['"]$/g, "")
+    .replace(/\.+$/g, "")
+    .toLowerCase();
+
+const expectedHostnames = config.TURNSTILE_EXPECTED_HOSTNAME
+  .split(",")
+  .map(normalizeHostname)
+  .filter((value, index, all) => value.length > 0 && all.indexOf(value) === index);
+
 export async function verifyTurnstileToken(
   token: string,
   remoteIp?: string,
@@ -36,7 +48,7 @@ export async function verifyTurnstileToken(
     return { ok: false, reason: codes };
   }
 
-  if (result.hostname !== config.TURNSTILE_EXPECTED_HOSTNAME) {
+  if (!result.hostname || !expectedHostnames.includes(normalizeHostname(result.hostname))) {
     return { ok: false, reason: "hostname_mismatch" };
   }