fix: fetch collators from parachains and restrict CORS to production domains

- NetworkStats now queries Asset Hub and People Chain for collator data
  instead of relay chain (where collatorSelection doesn't exist)
- Restrict Edge Functions CORS to app.pezkuwichain.io domains only
- Add Access-Control-Allow-Credentials header for secure cross-origin requests

web/supabase/functions/process-withdraw/index.ts

@@ -7,9 +7,20 @@ import { createClient } from 'npm:@supabase/supabase-js@2'
 import { ApiPromise, WsProvider, Keyring } from 'npm:@pezkuwi/api@16.5.11'
 import { cryptoWaitReady } from 'npm:@pezkuwi/util-crypto@14.0.11'
 
-const corsHeaders = {
-  'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+// Allowed origins for CORS
+const ALLOWED_ORIGINS = [
+  'https://app.pezkuwichain.io',
+  'https://www.pezkuwichain.io',
+  'https://pezkuwichain.io',
+]
+
+function getCorsHeaders(origin: string | null) {
+  const allowedOrigin = origin && ALLOWED_ORIGINS.includes(origin) ? origin : ALLOWED_ORIGINS[0]
+  return {
+    'Access-Control-Allow-Origin': allowedOrigin,
+    'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+    'Access-Control-Allow-Credentials': 'true',
+  }
 }
 
 // Platform hot wallet address
@@ -167,6 +178,8 @@ async function sendTokens(
 }
 
 serve(async (req) => {
+  const corsHeaders = getCorsHeaders(req.headers.get('Origin'))
+
   // Handle CORS preflight
   if (req.method === 'OPTIONS') {
     return new Response(null, { headers: corsHeaders })