How to configure CORS correctly? [duplicate]

Currently, my CORS setup only allows access from specified domains depending on the environment. However, I can still perform operations from Postman, curl, etc. What’s going wrong?

const allowedOrigins = [
  'https://xxxx.app',
  'https://www.xxxx.app',
  'https://dev.xxxx.app',
  'https://www.dev.xxxx.app'
].map(origin => origin.replace(//$/, ''));

const corsOptions = {
  origin: function (origin, callback) {
    const normalizedOrigin = origin ? origin.replace(//$/, '') : null;

    if (!normalizedOrigin) {
      return callback(null, true);
    }

    if (allowedOrigins.includes(normalizedOrigin)) {
      return callback(null, true);
    } else {
      const msg = 'CORS origin not allowed: ' + normalizedOrigin;
      return callback(new Error(msg), false);
    }
  },
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], 
  allowedHeaders: ['Content-Type', 'Authorization'], 
  credentials: true,
};

app.options('*', cors()); 

if (process.env.NODE_ENV === 'production' || process.env.NODE_ENV === 'development') {
  app.use(cors(corsOptions));
} else {
  app.use(cors());
}