From 8f42a653c407d172bc41cb6cdae8c6988c4d0852 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Sat, 4 Oct 2025 19:07:22 +0000
Subject: [PATCH] fix: remove AllowCredentials from CORS to support wildcard
 origin

---
 api/index.go | 28 +++++++++++++++++++++++-----
 main.go      | 28 +++++++++++++++++++++++-----
 2 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/api/index.go b/api/index.go
index 9392acf..240dbb5 100644
--- a/api/index.go
+++ b/api/index.go
@@ -150,12 +150,30 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	protected.HandleFunc("/reactions/{mediaType}/{mediaId}", reactionsHandler.RemoveReaction).Methods("DELETE")
 	protected.HandleFunc("/reactions/my", reactionsHandler.GetMyReactions).Methods("GET")
 
+	// CORS configuration - allow all origins
 	corsHandler := handlers.CORS(
-		handlers.AllowedOrigins([]string{"*"}),
-		handlers.AllowedMethods([]string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}),
-		handlers.AllowedHeaders([]string{"Authorization", "Content-Type", "Accept", "Origin", "X-Requested-With", "X-CSRF-Token"}),
-		handlers.AllowCredentials(),
-		handlers.ExposedHeaders([]string{"Authorization", "Content-Type"}),
+		handlers.AllowedOrigins([]string{
+			"*", // Allow all origins
+		}),
+		handlers.AllowedMethods([]string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD"}),
+		handlers.AllowedHeaders([]string{
+			"Authorization",
+			"Content-Type",
+			"Accept",
+			"Origin",
+			"X-Requested-With",
+			"X-CSRF-Token",
+			"Access-Control-Allow-Origin",
+			"Access-Control-Allow-Headers",
+			"Access-Control-Allow-Methods",
+			"Access-Control-Allow-Credentials",
+		}),
+		handlers.ExposedHeaders([]string{
+			"Authorization",
+			"Content-Type",
+			"X-Total-Count",
+		}),
+		handlers.MaxAge(3600),
 	)
 
 	corsHandler(router).ServeHTTP(w, r)
diff --git a/main.go b/main.go
index 58bf16b..fe125f8 100644
--- a/main.go
+++ b/main.go
@@ -129,12 +129,30 @@ func main() {
 	protected.HandleFunc("/reactions/{mediaType}/{mediaId}", reactionsHandler.RemoveReaction).Methods("DELETE")
 	protected.HandleFunc("/reactions/my", reactionsHandler.GetMyReactions).Methods("GET")
 
+	// CORS configuration - allow all origins
 	corsHandler := handlers.CORS(
-		handlers.AllowedOrigins([]string{"*"}),
-		handlers.AllowedMethods([]string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}),
-		handlers.AllowedHeaders([]string{"Authorization", "Content-Type", "Accept", "Origin", "X-Requested-With", "X-CSRF-Token"}),
-		handlers.AllowCredentials(),
-		handlers.ExposedHeaders([]string{"Authorization", "Content-Type"}),
+		handlers.AllowedOrigins([]string{
+			"*", // Allow all origins
+		}),
+		handlers.AllowedMethods([]string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD"}),
+		handlers.AllowedHeaders([]string{
+			"Authorization",
+			"Content-Type",
+			"Accept",
+			"Origin",
+			"X-Requested-With",
+			"X-CSRF-Token",
+			"Access-Control-Allow-Origin",
+			"Access-Control-Allow-Headers",
+			"Access-Control-Allow-Methods",
+			"Access-Control-Allow-Credentials",
+		}),
+		handlers.ExposedHeaders([]string{
+			"Authorization",
+			"Content-Type",
+			"X-Total-Count",
+		}),
+		handlers.MaxAge(3600),
 	)
 
 	var finalHandler http.Handler