feat: implement CORS middleware and update service configurations

Author: PramithaMJ

Makefile

@@ -18,7 +18,7 @@ SHELL := /bin/bash
 
 COMPOSE := docker compose -f deploy/docker/docker-compose.dev.yml
 
-# ── module lists ──────────────────────────────────────────────────────────────
+#  module lists 
 SERVICES := packages/go-common \
             services/api-gateway \
             services/auth-service \
@@ -31,7 +31,7 @@ SERVICES := packages/go-common \
         gateway auth tenant booking config ui \
         migrate migrate-down
 
-# ── docker-compose targets ────────────────────────────────────────────────────
+#  docker-compose targets 
 
 ## up: start all services (build images if needed)
 up:
@@ -58,7 +58,7 @@ logs:
 build:
 	$(COMPOSE) build
 
-# ── migration targets ─────────────────────────────────────────────────────────
+#  migration targets ─
 
 ## migrate: run all pending DB migrations
 migrate:
@@ -68,7 +68,7 @@ migrate:
 migrate-down:
 	$(COMPOSE) run --rm migrate down 1
 
-# ── Go targets ────────────────────────────────────────────────────────────────
+#  Go targets 
 
 ## test: run tests in every module
 test:
@@ -105,7 +105,7 @@ tidy:
 	done
 	go work sync
 
-# ── local run targets (infra must be up first) ────────────────────────────────
+#  local run targets (infra must be up first) 
 
 ## gateway: run api-gateway locally
 gateway:
@@ -139,7 +139,7 @@ ui-install:
 ui-build:
 	cd apps/management-ui && npm run build
 
-# ── help ──────────────────────────────────────────────────────────────────────
+#  help 
 
 help:
 	@grep -E '^##' Makefile | sed 's/## //'

apps/management-ui/Dockerfile

@@ -4,21 +4,39 @@
 # Version 2.0 (the "LICENSE"); you may not use this file except
 # in compliance with the LICENSE.
 
-# ── Stage 1: dependencies ─────────────────────────────────────────────────────
+#  Stage 1: install dependencies ─
 FROM node:20-alpine AS deps
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm ci --prefer-offline
 
-# ── Stage 2: build ────────────────────────────────────────────────────────────
+#  Stage 2: build 
 FROM node:20-alpine AS builder
 WORKDIR /app
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
+
 ENV NEXT_TELEMETRY_DISABLED=1
+
+# Build-time public env vars (baked into JS bundle).
+# Override with ARG/ENV when running inside Docker Compose.
+ARG NEXT_PUBLIC_API_URL=http://localhost:8081
+ARG NEXT_PUBLIC_GATEWAY_URL=http://localhost:8081
+ARG NEXT_PUBLIC_AUTH_URL=http://localhost:8082
+ARG NEXT_PUBLIC_TENANT_URL=http://localhost:8083
+ARG NEXT_PUBLIC_BOOKING_URL=http://localhost:8084
+ARG NEXT_PUBLIC_CONFIG_URL=http://localhost:8085
+
+ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL
+ENV NEXT_PUBLIC_GATEWAY_URL=$NEXT_PUBLIC_GATEWAY_URL
+ENV NEXT_PUBLIC_AUTH_URL=$NEXT_PUBLIC_AUTH_URL
+ENV NEXT_PUBLIC_TENANT_URL=$NEXT_PUBLIC_TENANT_URL
+ENV NEXT_PUBLIC_BOOKING_URL=$NEXT_PUBLIC_BOOKING_URL
+ENV NEXT_PUBLIC_CONFIG_URL=$NEXT_PUBLIC_CONFIG_URL
+
 RUN npm run build
 
-# ── Stage 3: runner ───────────────────────────────────────────────────────────
+#  Stage 3: minimal runtime 
 FROM node:20-alpine AS runner
 WORKDIR /app
 ENV NODE_ENV=production

apps/management-ui/lib/api/config.ts

@@ -42,7 +42,7 @@ export const configApi = {
     config: Record<string, unknown>,
     tenantId: string,
   ): Promise<ModuleConfig> {
-    return api.put(`/v1/config/${module}`, { config }, { tenantId });
+    return api.put(`/v1/config/${module}`, config, { tenantId });
   },
 
   getHistory(module: string, tenantId: string): Promise<ConfigHistoryEntry[]> {

apps/management-ui/public/.gitkeep

@@ -5,28 +5,28 @@
 # in compliance with the LICENSE.
 
 #  Stage 1: build 
-FROM golang:1.23-alpine AS builder
+FROM golang:1.25-alpine AS builder
 
 # Receive the service name via build-arg, e.g. "tenant-service"
 ARG SERVICE
 RUN test -n "$SERVICE" || (echo "SERVICE build-arg is required" && exit 1)
 
 WORKDIR /workspace
 
-# Copy workspace descriptor first so the module graph is resolvable.
-COPY go.work go.work.sum ./
-
 # Copy shared packages (go-common is the only shared module for now).
 COPY packages/ packages/
 
 # Copy only the target service — avoids cache invalidation from sibling changes.
 COPY services/${SERVICE}/ services/${SERVICE}/
 
 # Build with module cache mount for fast rebuilds.
+# GOWORK=off: each service module has its own replace directive for go-common,
+# so the workspace file is not needed and only the target service + packages/
+# need to be in the build context.
 RUN --mount=type=cache,target=/root/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     cd services/${SERVICE} && \
-    CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/server ./cmd/server
+    GOWORK=off CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /bin/server ./cmd/server
 
 #  Stage 2: runtime 
 FROM alpine:3.20

build/Dockerfile.service

@@ -14,7 +14,7 @@
 # specific language governing permissions and limitations
 # under the LICENSE.
 #
-# ── ServiceForge development compose ─────────────────────────────────────────
+#  ServiceForge development compose ─
 #
 # Startup order (via depends_on + condition):
 #   postgres (healthy)
@@ -31,8 +31,6 @@
 #   docker compose -f deploy/docker/docker-compose.dev.yml up --build
 #   docker compose -f deploy/docker/docker-compose.dev.yml run --rm migrate down 1
 
-version: "3.9"
-
 x-service-defaults: &service-defaults
   build:
     context: ../..
@@ -44,7 +42,7 @@ x-service-defaults: &service-defaults
     DATABASE_URL: postgres://serviceforge:serviceforge@postgres:5432/serviceforge?sslmode=disable
     KAFKA_BROKERS: kafka:9092
 
-# ── Infrastructure ────────────────────────────────────────────────────────────
+#  Infrastructure 
 
 services:
   postgres:
@@ -95,34 +93,36 @@ services:
       start_period: 5s
 
   zookeeper:
-    image: bitnami/zookeeper:3.9
+    image: confluentinc/cp-zookeeper:7.5.0
     container_name: serviceforge-zookeeper
     environment:
-      - ALLOW_ANONYMOUS_LOGIN=yes
+      ZOOKEEPER_CLIENT_PORT: 2181
+      ZOOKEEPER_TICK_TIME: 2000
     ports:
       - "2181:2181"
     healthcheck:
-      test: ["CMD-SHELL", "echo ruok | nc -w 2 localhost 2181 | grep imok"]
+      test: ["CMD-SHELL", "echo srvr | nc localhost 2181 2>/dev/null | grep -q 'Zookeeper version' || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 10
       start_period: 15s
 
   kafka:
-    image: bitnami/kafka:3.7
+    image: confluentinc/cp-kafka:7.5.0
     container_name: serviceforge-kafka
     depends_on:
       zookeeper:
         condition: service_healthy
     ports:
       - "9092:9092"
     environment:
-      - KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper:2181
-      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092
-      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://kafka:9092
-      - ALLOW_PLAINTEXT_LISTENER=yes
+      KAFKA_BROKER_ID: 1
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+      KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true"
     healthcheck:
-      test: ["CMD-SHELL", "kafka-topics.sh --bootstrap-server localhost:9092 --list"]
+      test: ["CMD-SHELL", "kafka-topics --bootstrap-server localhost:9092 --list"]
       interval: 10s
       timeout: 10s
       retries: 10
@@ -140,7 +140,7 @@ services:
       KAFKA_CLUSTERS_0_NAME: local
       KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092
 
-# ── Microservices ─────────────────────────────────────────────────────────────
+#  Microservices ─
 
   tenant-service:
     <<: *service-defaults
@@ -299,22 +299,24 @@ services:
   management-ui:
     container_name: serviceforge-management-ui
     build:
-      context: ../..
-      dockerfile: apps/management-ui/Dockerfile
+      context: ../../apps/management-ui
+      dockerfile: Dockerfile
+      args:
+        # NEXT_PUBLIC_* vars are baked into the bundle at build time.
+        # The gateway is exposed on the host at port 8081 so the browser can reach it.
+        NEXT_PUBLIC_API_URL: http://localhost:8081
+        NEXT_PUBLIC_GATEWAY_URL: http://localhost:8081
+        NEXT_PUBLIC_AUTH_URL: http://localhost:8082
+        NEXT_PUBLIC_TENANT_URL: http://localhost:8083
+        NEXT_PUBLIC_BOOKING_URL: http://localhost:8084
+        NEXT_PUBLIC_CONFIG_URL: http://localhost:8085
     depends_on:
       api-gateway:
         condition: service_healthy
     ports:
       - "3000:3000"
-    environment:
-      NEXT_PUBLIC_API_URL: http://localhost:8081
-      NEXT_PUBLIC_GATEWAY_URL: http://localhost:8081
-      NEXT_PUBLIC_AUTH_URL: http://localhost:8082
-      NEXT_PUBLIC_TENANT_URL: http://localhost:8083
-      NEXT_PUBLIC_BOOKING_URL: http://localhost:8084
-      NEXT_PUBLIC_CONFIG_URL: http://localhost:8085
 
-# ── Volumes ───────────────────────────────────────────────────────────────────
+#  Volumes ─
 
 volumes:
   pgdata:

deploy/docker/docker-compose.dev.yml

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2026, SoftlaneIT (https://softlaneit.com/) All Rights Reserved.
+ *
+ * SoftlaneIT licenses this file to you under the Apache License,
+ * Version 2.0 (the "LICENSE"); you may not use this file except
+ * in compliance with the LICENSE.
+ */
+
+// Package middleware provides reusable HTTP middleware for all ServiceForge services.
+package middleware
+
+import "net/http"
+
+// CORS returns a middleware that adds cross-origin response headers so the
+// management-UI (served on a different port) can call every service directly.
+//
+// allowedOrigins is a set of exact Origin values that are permitted.
+// Pass "*" as the only element to allow any origin (dev-only).
+func CORS(allowedOrigins ...string) func(http.Handler) http.Handler {
+	allowed := make(map[string]bool, len(allowedOrigins))
+	for _, o := range allowedOrigins {
+		allowed[o] = true
+	}
+	wildcard := allowed["*"]
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get("Origin")
+
+			if wildcard || allowed[origin] {
+				w.Header().Set("Access-Control-Allow-Origin", origin)
+				w.Header().Set("Access-Control-Allow-Credentials", "true")
+				w.Header().Set("Access-Control-Allow-Methods",
+					"GET, POST, PUT, PATCH, DELETE, OPTIONS")
+				w.Header().Set("Access-Control-Allow-Headers",
+					"Content-Type, Authorization, X-Tenant-ID, X-Changed-By")
+				w.Header().Set("Access-Control-Max-Age", "3600")
+			}
+
+			// Handle preflight.
+			if r.Method == http.MethodOptions {
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}

packages/go-common/middleware/cors.go

@@ -57,6 +57,7 @@ import (
 
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/config"
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/logger"
+	commidware "github.com/SoftLaneIT/serviceforge/packages/go-common/middleware"
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/tenant"
 	gw "github.com/SoftLaneIT/serviceforge/services/api-gateway/internal/middleware"
 	"github.com/SoftLaneIT/serviceforge/services/api-gateway/internal/proxy"
@@ -125,7 +126,12 @@ func main() {
 	mux.Handle("/v1/config", withAuth(configProxy))
 
 	// Outer middleware applied to the whole mux.
-	httpHandler := tenant.Middleware(logger.HTTPMiddleware(log)(mux))
+	// CORS wraps everything so that preflight OPTIONS requests are handled before
+	// auth/rate-limit middleware runs.
+	corsOrigins := config.GetEnv("CORS_ORIGINS", "http://localhost:3000")
+	httpHandler := commidware.CORS(corsOrigins)(
+		tenant.Middleware(logger.HTTPMiddleware(log)(mux)),
+	)
 
 	//  HTTP server
 	port := config.GetEnv("PORT", "8081")

services/api-gateway/cmd/server/main.go

@@ -42,6 +42,7 @@ import (
 
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/config"
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/logger"
+	commidware "github.com/SoftLaneIT/serviceforge/packages/go-common/middleware"
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/tenant"
 	"github.com/SoftLaneIT/serviceforge/services/auth-service/internal/cache"
 	"github.com/SoftLaneIT/serviceforge/services/auth-service/internal/handler"
@@ -75,7 +76,10 @@ func main() {
 	// Middleware chain (outermost first):
 	//   tenant.Middleware  → injects tenant_id from X-Tenant-ID header
 	//   logger.HTTPMiddleware → structured request logging
-	httpHandler := tenant.Middleware(logger.HTTPMiddleware(log)(mux))
+	corsOrigins := config.GetEnv("CORS_ORIGINS", "http://localhost:3000")
+	httpHandler := commidware.CORS(corsOrigins)(
+		tenant.Middleware(logger.HTTPMiddleware(log)(mux)),
+	)
 
 	port := config.GetEnv("PORT", "8082")
 	srv := &http.Server{

services/auth-service/cmd/server/main.go

@@ -43,6 +43,7 @@ import (
 
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/config"
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/logger"
+	commidware "github.com/SoftLaneIT/serviceforge/packages/go-common/middleware"
 	"github.com/SoftLaneIT/serviceforge/packages/go-common/tenant"
 	"github.com/SoftLaneIT/serviceforge/services/booking-service/internal/events"
 	"github.com/SoftLaneIT/serviceforge/services/booking-service/internal/handler"
@@ -79,7 +80,10 @@ func main() {
 	mux := http.NewServeMux()
 	h.RegisterRoutes(mux)
 
-	httpHandler := tenant.Middleware(logger.HTTPMiddleware(log)(mux))
+	corsOrigins := config.GetEnv("CORS_ORIGINS", "http://localhost:3000")
+	httpHandler := commidware.CORS(corsOrigins)(
+		tenant.Middleware(logger.HTTPMiddleware(log)(mux)),
+	)
 
 	port := config.GetEnv("PORT", "8084")
 	srv := &http.Server{