fix: solve duplicated CORS configuration

Author: Bulletdev

config/application.rb

@@ -53,18 +53,8 @@ class Application < Rails::Application
     config.autoload_paths += %W[#{config.root}/app/modules]
     config.eager_load_paths += %W[#{config.root}/app/modules]
 
-    # CORS configuration
-    config.middleware.insert_before 0, Rack::Cors do
-      allow do
-        origins ENV.fetch('CORS_ORIGINS', 'http://localhost:8888').split(',')
-
-        resource '*',
-                 headers: :any,
-                 methods: %i[get post put patch delete options head],
-                 credentials: true,
-                 max_age: 86_400
-      end
-    end
+    # CORS configuration - See config/initializers/cors.rb
+    # Removed from here to avoid duplicate middleware registration
 
     # Rack Attack for rate limiting
     config.middleware.use Rack::Attack

config/initializers/cors.rb

@@ -3,7 +3,7 @@
 Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
     # The fallback (second argument) must be a single string separated by commas
-origins ENV.fetch('CORS_ORIGINS', 'http://localhost:5173,http://localhost:8888,https://prostaff.vercel.app,https://prostaff.gg,https://api.prostaff.gg').split(',')
+    origins ENV.fetch('CORS_ORIGINS', 'http://localhost:5173,http://localhost:8888,https://prostaff.vercel.app,https://prostaff.gg,https://www.prostaff.gg,https://api.prostaff.gg').split(',')
 
     resource '*',
              headers: :any,

config/initializers/rack_attack.rb

@@ -57,8 +57,11 @@ class Attack
     end
 
     # Block suspicious requests (no user agent)
+    # Allow OPTIONS requests (CORS preflight) even without user agent
     blocklist('block requests without user agent') do |req|
-      req.user_agent.blank? && !['/health', '/up'].include?(req.path)
+      req.user_agent.blank? &&
+      !['/health', '/up'].include?(req.path) &&
+      req.request_method != 'OPTIONS'
     end
 
     # Block requests with suspicious patterns