fix: Update ALLOWED_HOSTS and CORS_ALLOWED_ORIGINS defaults in Django settings

backend/config/django/base.py

@@ -13,12 +13,12 @@ from decouple import config
 
 DEBUG = config("DEBUG", default=True)
 SECRET_KEY = config("SECRET_KEY")
-ALLOWED_HOSTS = config("ALLOWED_HOSTS")
+ALLOWED_HOSTS = config("ALLOWED_HOSTS", default="localhost,127.0.0.1", cast=lambda v: [s.strip() for s in v.split(',') if s.strip()])
 DATABASE_URL = config("DATABASE_URL")
 CACHE_URL = config("CACHE_URL", default="locmem://")
 EMAIL_URL = config("EMAIL_URL", default="console://")
 REDIS_URL = config("REDIS_URL", default="redis://127.0.0.1:6379/1")
-CORS_ALLOWED_ORIGINS = config("CORS_ALLOWED_ORIGINS", default=[])
+CORS_ALLOWED_ORIGINS = config("CORS_ALLOWED_ORIGINS", default="", cast=lambda v: [s.strip() for s in v.split(',') if s.strip()])
 API_RATE_LIMIT_PER_MINUTE = config("API_RATE_LIMIT_PER_MINUTE", default=60)
 API_RATE_LIMIT_PER_HOUR = config("API_RATE_LIMIT_PER_HOUR", default=1000)
 CACHE_MIDDLEWARE_SECONDS = config("CACHE_MIDDLEWARE_SECONDS", default=300)
@@ -43,13 +43,12 @@ if apps_dir.exists() and str(apps_dir) not in sys.path:
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY = config("SECRET_KEY")
 
-# Allowed hosts
+# Allowed hosts (already configured above)
-ALLOWED_HOSTS = config("ALLOWED_HOSTS")
 
 # CSRF trusted origins
 CSRF_TRUSTED_ORIGINS = config(
-    "CSRF_TRUSTED_ORIGINS", default=[]
+    "CSRF_TRUSTED_ORIGINS", default="", cast=lambda v: [s.strip() for s in v.split(',') if s.strip()]
-)  # type: ignore[arg-type]
+)
 
 # Application definition
 DJANGO_APPS = [

backend/thrillwiki/urls.py

@@ -107,7 +107,7 @@ urlpatterns = [
 if HAS_AUTOCOMPLETE and autocomplete_urls:
     urlpatterns.insert(
         2,
-        path("ac/", include(autocomplete_urls)),
+        path("ac/", include(autocomplete_urls[:2], namespace=autocomplete_urls[2])),
     )
 
 # Add API Documentation URLs if available