feat: CORS support (#813)

* feat: Add CORS support for Flutter mobile client Add rack-cors gem and configure CORS for API and OAuth endpoints to enable cross-origin requests from mobile clients and other external applications. https://claude.ai/code/session_01RJ6MKLkjBv7x5AQLEUn8AF * feat: Add /sessions/* to CORS for webview authentication Enable CORS for session endpoints to support webview-based authentication flows in the Flutter mobile client. https://claude.ai/code/session_01RJ6MKLkjBv7x5AQLEUn8AF * test: Add integration tests for CORS configuration Test that CORS middleware is configured and returns proper headers for API, OAuth, and session endpoints including preflight requests. https://claude.ai/code/session_01RJ6MKLkjBv7x5AQLEUn8AF * Gemfile.lock --------- Co-authored-by: Claude <noreply@anthropic.com>
2026-04-19 12:04:08 +00:00 · 2026-01-28 17:25:02 +01:00
parent f6c38344cd
commit ef4f5f7b8b
4 changed files with 113 additions and 0 deletions
--- a/test/integration/cors_test.rb
+++ b/test/integration/cors_test.rb
@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class CorsTest < ActionDispatch::IntegrationTest
+  test "rack cors is configured in middleware stack" do
+    middleware_classes = Rails.application.middleware.map(&:klass)
+    assert_includes middleware_classes, Rack::Cors, "Rack::Cors should be in middleware stack"
+  end
+
+  test "cors headers are returned for api endpoints" do
+    get "/api/v1/usage", headers: { "Origin" => "http://localhost:3000" }
+
+    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+    assert response.headers["Access-Control-Expose-Headers"].present?
+  end
+
+  test "cors preflight request is handled for api endpoints" do
+    # Simulate a preflight OPTIONS request
+    options "/api/v1/transactions",
+      headers: {
+        "Origin" => "http://localhost:3000",
+        "Access-Control-Request-Method" => "POST",
+        "Access-Control-Request-Headers" => "Content-Type, Authorization"
+      }
+
+    assert_response :ok
+    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+    assert response.headers["Access-Control-Allow-Methods"].present?
+    assert_includes response.headers["Access-Control-Allow-Methods"], "POST"
+  end
+
+  test "cors headers are returned for oauth endpoints" do
+    post "/oauth/token",
+      params: { grant_type: "authorization_code", code: "test" },
+      headers: { "Origin" => "http://localhost:3000" }
+
+    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+  end
+
+  test "cors preflight request is handled for oauth endpoints" do
+    options "/oauth/token",
+      headers: {
+        "Origin" => "http://localhost:3000",
+        "Access-Control-Request-Method" => "POST",
+        "Access-Control-Request-Headers" => "Content-Type"
+      }
+
+    assert_response :ok
+    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+  end
+
+  test "cors headers are returned for session endpoints" do
+    post "/sessions",
+      params: { email: "test@example.com", password: "password" },
+      headers: { "Origin" => "http://localhost:3000" }
+
+    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+  end
+
+  test "cors preflight request is handled for session endpoints" do
+    options "/sessions/new",
+      headers: {
+        "Origin" => "http://localhost:3000",
+        "Access-Control-Request-Method" => "GET",
+        "Access-Control-Request-Headers" => "Content-Type"
+      }
+
+    assert_response :ok
+    assert_equal "*", response.headers["Access-Control-Allow-Origin"]
+  end
+end