exports.origin = (whitelist) => (origin, callback) => {
  // Allow requests with no origin (mobile apps, postman, curl)
  if (!origin) return callback(null, true)

  // Allow exact domain
  if (whitelist.includes(origin)) {
    return callback(null, true)
  }

  // Allow localhost with any port
  if (origin.startsWith('http://localhost')) {
    return callback(null, true)
  }

  return callback(new Error('Not allowed by CORS'))
}