set cors origins to env.ORIGINS if set, otherwise set it to * (env.ORIGINS should be an array of allowed hosts separated with spaces)
set cors credentials to true
change sameSite to None for refresh-token cookie because of Heroku being a public domain (Should be set to Strict when deployed to the main domain, explained in code comments)
set refresh-token maxAge to 7 days, otherwise it'll be a session cookie and will be deleted after the user closes the browser window