fix: add CORS allow_headers and allow_methods for cross-origin requests

graylikeme · claude · graylikeme · commit 419c844e5fb7 · 2026-03-28T17:52:56.000+05:00
The CorsLayer only set allow_origin but not allow_headers or
allow_methods, causing preflight failures for content-type header
from roster.battledroids.ru.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/crates/api/src/main.rs b/crates/api/src/main.rs
@@ -71,7 +71,7 @@ async fn main() -> anyhow::Result<()> {
     // ── CORS ──────────────────────────────────────────────────────────────────
     let cors = {
         let origins = cfg.allowed_origins_list();
-        if origins.is_empty() {
+        let base = if origins.is_empty() {
             CorsLayer::new()
         } else if origins.iter().any(|o| o == "*") {
             CorsLayer::new().allow_origin(Any)
@@ -81,7 +81,9 @@ async fn main() -> anyhow::Result<()> {
                 .filter_map(|o| o.parse().ok())
                 .collect();
             CorsLayer::new().allow_origin(AllowOrigin::list(parsed))
-        }
+        };
+        base.allow_headers([header::CONTENT_TYPE])
+            .allow_methods([axum::http::Method::GET, axum::http::Method::POST])
     };
 
     // ── Rate limiting (100 req/min burst per IP) ───────────────────────────────
