fix(node): proper CORS middleware + preflight handling
The desktop Electron renderer runs at http://127.0.0.1:5173 (dev) or file:// (prod); the node HTTP API is at a different origin by design. Browsers enforce CORS, and our per-handler `Access-Control-Allow-Origin: *` header only covered the happy path — preflight OPTIONS requests, which browsers send before any POST with a JSON body or Authorization header, fell through to the 404 handler without CORS headers and the subsequent real request was blocked. Added node/cors.go — a single middleware that: * Sets Access-Control-Allow-Origin / -Methods / -Headers / -Expose-Headers / -Max-Age on every response. * Short-circuits OPTIONS with 204, never invoking the mux. Wired into stats.go:ListenAndServe so the wrapping is unconditional (the node's security model gates writes by token + Ed25519 signature, not by origin, so wide CORS is the correct default). Cleaned up the now-redundant per-jsonOK/jsonErr Allow-Origin setters in api_common.go — the middleware sets a single consistent header instead of two collisions from handlers that both write one. Symptom before: `net::ERR_FAILED` / "CORS policy blocked" errors in the Electron devtools console when hitting /api/* or /relay/*. Symptom after: clean GET/POST, preflight answers in ~1ms.
This commit is contained in:
vsecoder
@@ -15,13 +15,11 @@ import (
|
||||
|
||||
func jsonOK(w http.ResponseWriter, v any) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
_ = json.NewEncoder(w).Encode(v)
|
||||
}
|
||||
|
||||
func jsonErr(w http.ResponseWriter, err error, code int) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
w.WriteHeader(code)
|
||||
_ = json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user