diff --git a/lib/auth/constants.ts b/lib/auth/constants.ts
index 9dc82af9..00c17f20 100644
--- a/lib/auth/constants.ts
+++ b/lib/auth/constants.ts
@@ -20,7 +20,7 @@ import {
 
 export const GetSession = async ({ cookies = '' }) => {
   try {
-    const response = await fetch(`${process.env.MAIN_URL}/api/v1/auth/session`, {
+    const response = await fetch(`${process.env.API_URL}/api/v1/auth/session`, {
       method: 'GET',
       headers: {
         Accept: 'application/json',
@@ -29,6 +29,7 @@ export const GetSession = async ({ cookies = '' }) => {
       },
     });
     const session = await response.json();
+    console.log({ cookies, session });
     return session;
   } catch (e) {
     console.error(e);
diff --git a/lib/model/interfaces/get-private-abilities.ts b/lib/model/interfaces/get-private-abilities.ts
index d5248dd8..08bc2029 100644
--- a/lib/model/interfaces/get-private-abilities.ts
+++ b/lib/model/interfaces/get-private-abilities.ts
@@ -14,7 +14,7 @@ const getPrivateAbilities = async ({
   limit = PAGE_SIZE,
   filters = [],
 }: any) => {
-  const loggedUser = user || (await whoAmI());
+  const loggedUser = user || (await whoAmI({}));
 
   const adaptQuery: any = {
     where: {
diff --git a/lib/model/interfaces/get-private-services.ts b/lib/model/interfaces/get-private-services.ts
index 1e12f231..a8020ec8 100644
--- a/lib/model/interfaces/get-private-services.ts
+++ b/lib/model/interfaces/get-private-services.ts
@@ -14,7 +14,7 @@ const getPrivateServices = async ({
   limit = PAGE_SIZE,
   filters = [],
 }: any) => {
-  const loggedUser = user || (await whoAmI());
+  const loggedUser = user || (await whoAmI({}));
 
   const adaptQuery: any = {
     where: {
diff --git a/lib/model/interfaces/middleware/authorization.ts b/lib/model/interfaces/middleware/authorization.ts
index 887255e0..658c4155 100644
--- a/lib/model/interfaces/middleware/authorization.ts
+++ b/lib/model/interfaces/middleware/authorization.ts
@@ -1,7 +1,7 @@
 // @interfaces/middleware/authorization.ts
 import { getSession, GetSession } from '@auth';
 import { GetPrivateAbilities } from '@controller';
-import { cookies } from 'next/headers';
+import { cookies as nextCookies } from 'next/headers';
 export const canI = async ({ name, user }: any) => {
   try {
     const ability = await GetPrivateAbilities({ name });
@@ -10,16 +10,17 @@ export const canI = async ({ name, user }: any) => {
     // return the capacity
     return yes;
   } catch (e) {
-    throw new Error(`Code 003: Missing results: ${e}`);
+    throw new Error(`Code 008: User is not authorized ${e}`);
   }
 };
-export const whoAmI = async () => {
+export const whoAmI = async ({ cookies }: any) => {
   try {
-    const cookieString = cookies().getAll().toString();
-    const session = (await getSession()) || (await GetSession({ cookies: cookieString }));
+    const cookieString = nextCookies().getAll().toString();
+    const session = (await getSession()) || (await GetSession({ cookies: cookieString || cookies }));
     // to-do add authorization/validation checks
+    console.log({ cookieString, session });
     return session?.user;
   } catch (e) {
-    throw new Error(`Code 003: Missing results: ${e}`);
+    throw new Error(`Code 007: Can't identify user ${e}`);
   }
 };
diff --git a/lib/model/interfaces/update-private-user-abilities.ts b/lib/model/interfaces/update-private-user-abilities.ts
index 5b24f60a..ef1f72e0 100644
--- a/lib/model/interfaces/update-private-user-abilities.ts
+++ b/lib/model/interfaces/update-private-user-abilities.ts
@@ -8,7 +8,7 @@ const updatePrivateUserAbilities = async ({ upsert = false, user, abilities }: a
     // to-do: move this will be a middleware
     if (abilities?.length === 0) return new Error('Code 002: Missing data (abilities)');
 
-    const loggedUser = user || (await whoAmI());
+    const loggedUser = user || (await whoAmI({}));
 
     const payload = upsert
       ? {
diff --git a/lib/model/interfaces/update-private-user-favorite-listings.ts b/lib/model/interfaces/update-private-user-favorite-listings.ts
index 6ca890c6..640481c6 100644
--- a/lib/model/interfaces/update-private-user-favorite-listings.ts
+++ b/lib/model/interfaces/update-private-user-favorite-listings.ts
@@ -7,7 +7,9 @@ const updatePrivateUserFavoriteListings = async ({ upsert = true, user, listings
   try {
     if (listings?.length === 0) return new Error('Code 002: Missing data (listings)');
 
-    const loggedUser = user || (await whoAmI());
+    const loggedUser = user || (await whoAmI({}));
+
+    console.log({ user, loggedUser });
 
     const delta = upsert ? listings.filter((listing: any) => !loggedUser?.favorites?.includes(listing)) : [];
 
diff --git a/lib/model/interfaces/update-private-user-services.ts b/lib/model/interfaces/update-private-user-services.ts
index 395784ad..094ff9a5 100644
--- a/lib/model/interfaces/update-private-user-services.ts
+++ b/lib/model/interfaces/update-private-user-services.ts
@@ -8,7 +8,7 @@ const updatePrivateUserServices = async ({ upsert = false, user, services }: any
     // to-do: move this will be a middleware
     if (services?.length === 0) return new Error('Code 002: Missing data (services)');
 
-    const loggedUser = user || (await whoAmI());
+    const loggedUser = user || (await whoAmI({}));
 
     const payload = upsert
       ? {
diff --git a/src/app/api/v1/user/route.ts b/src/app/api/v1/user/route.ts
index 83abb30d..963c9c50 100644
--- a/src/app/api/v1/user/route.ts
+++ b/src/app/api/v1/user/route.ts
@@ -25,7 +25,8 @@ export async function PATCH(request: CombineRequest) {
     const body = await request?.json();
     const listings = body?.listings;
 
-    const user = body?.user || session?.user;
+    const user = session?.user;
+    console.log({ session, body, cookies });
 
     const data = await UpdatePrivateUserFavoriteListings({
       user,
diff --git a/src/middleware.ts b/src/middleware.ts
index 35619354..7a494ea3 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -16,8 +16,14 @@ export const config = {
   matcher: ['/api/:path*'],
 };
 
+const allowedOrigins = {
+  [`${process.env.MAIN_URL}`]: process.env.MAIN_URL,
+  [`${process.env.NEXUS_HOST}`]: process.env.NEXUS_HOST,
+  [`${process.env.API_HOST}`]: process.env.API_HOST,
+};
+
 const headers: Record<string, any> = {
-  'Access-Control-Allow-Origin': process.env.MAIN_URL || 'https://www.dreampip.com',
+  'Access-Control-Allow-Origin': `${process.env.MAIN_URL}` || 'https://www.dreampip.com',
   'Cache-Control': 'maxage=0, s-maxage=300, stale-while-revalidate=300',
   // DEV-DEBUG:
   // 'content-type': 'application/json',
@@ -27,6 +33,11 @@ const headers: Record<string, any> = {
 };
 
 export default async function middleware(request: NextRequest) {
+  const origin = request.headers.get('x-forwarded-host') || '';
+  if (origin !== process.env.MAIN_URL) {
+    headers['Access-Control-Allow-Origin'] = allowedOrigins[origin] || 'https://www.dreampip.com';
+  }
+
   // You could alternatively limit based on user ID or similar
   const response = next();
   const ip = ipAddress(request) || '127.0.0.1';