Fix CORS setup

[mattgotteiner]

Purpose

• Issue CORS blocking redirect on app services logout #1780 indicated something was wrong with the CORS configuration
• ALLOWED_ORIGIN was not set properly so the app backend couldn't respond to cross-origin requests that are allowed
• Fix setting of ALLOWED_ORIGIN in bicep

Does this introduce a breaking change?

When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.

[ ] Yes
[X] No

Does this require changes to learn.microsoft.com docs?

This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.

[ ] Yes
[X] No

Type of change

[X] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

[pamelafox]

mypy eek

[pamelafox]

Does this always end up allowing origins even if they don't enable user auth? I dont see a conditional that makes it empty in that case. But maybe my eyes have glazed over.

[pamelafox]

Or maybe we always allowed them anyway?

[mattgotteiner]

allowedOrigin should be empty if they don't enable user auth. I will double check this, good catch

[mattgotteiner]

So this is an interesting case

1. We were never enabling the portal origins before due to a bug
2. So unless they explicitly specified an allowed origin, we never enabled cors

My thought is that we want to only add in the portal / login origins if auth is enabled, otherwise just pick the origins they added. I'll make this adjustment

[mattgotteiner]

We do need to allow credentials