fix(cors): enable preflight for Capacitor WebView requests

Add express cors middleware with reflected origin so Android clients from https://localhost receive Access-Control-Allow-* headers on OPTIONS and can proceed with POST requests.
2026-06-04 18:26:22 +08:00
parent df442df869
commit dffb86007e
3 changed files with 3807 additions and 0 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -12,12 +12,14 @@
    "@peculiar/asn1-ecc": "^2.3.8",
    "@peculiar/asn1-schema": "^2.3.8",
    "cbor-x": "^1.5.9",
+    "cors": "^2.8.6",
    "did-jwt": "^7.4.7",
    "did-resolver": "^4.1.0",
    "express": "^5.1.0",
    "firebase-admin": "^13.9.0"
  },
  "devDependencies": {
+    "@types/cors": "^2.8.19",
    "@types/express": "^5.0.0",
    "@types/node": "^22.10.0",
    "tsx": "^4.19.2",
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,3 +1,4 @@
+import cors from "cors";
 import express from "express";
 import "./services/firebase.js";
 import { debugRouter } from "./routes/debug.js";
@@ -7,6 +8,14 @@ import { startScheduler } from "./scheduler.js";
 const app = express();
 const port = Number(process.env.PORT) || 3000;

+app.use(
+  cors({
+    origin: true,
+    methods: ["GET", "POST", "OPTIONS"],
+    allowedHeaders: ["Content-Type", "Authorization"],
+  }),
+);
+
 app.use(express.json());

 // Keep stable for diagnostics tooling compatibility