From 2f4302dfaea626307cf048fab72375f9d60ca89f Mon Sep 17 00:00:00 2001
From: APAW Agent Sync <agent@softuniq.eu>
Date: Thu, 14 May 2026 00:36:00 +0100
Subject: [PATCH] fix(cors): allow credentials with echo-mode origin

Hono cors middleware with credentials: true requires origin to be
a concrete value, not '*'. Using origin callback that echoes
back the requesting origin satisfies browser CORS requirements
for fetch() with credentials: 'include'.

Fixes: API calls returning 401 on production because cookies
were not sent with cross-origin requests.

Refs: production server, admin dashboard
---
 src/server/index.ts | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/server/index.ts b/src/server/index.ts
index 4cb98f5..80088ca 100644
--- a/src/server/index.ts
+++ b/src/server/index.ts
@@ -245,8 +245,18 @@ db.run(`
 `)
 db.run('CREATE INDEX IF NOT EXISTS idx_analytics_daily_date ON analytics_daily(date)')
 
-// Middleware
-app.use('*', cors())
+// Middleware - CORS: credentials=true requires explicit origin, not '*'
+// When credentials: 'include' is used in fetch(), browser requires concrete origin
+app.use('*', cors({
+  origin: (origin) => {
+    // Echo back the requesting origin if it exists (null = no origin header)
+    return origin || '*'
+  },
+  credentials: true,
+  allowHeaders: ['Origin', 'Content-Type', 'Accept', 'X-Requested-With'],
+  allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  maxAge: 86400
+}))
 app.use('*', logger())
 
 // Serve static files FIRST for all contexts