From 35a3088c30eaa467032b4a5df6e47b94e2cd2949 Mon Sep 17 00:00:00 2001
From: Paul R Kartchner <pkartch@gmail.com>
Date: Wed, 26 Nov 2025 15:42:45 +0000
Subject: [PATCH] fix: add CORS headers to nginx proxy configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added comprehensive CORS headers to the nginx proxy configuration to
fix network errors when the frontend tries to fetch from the API.

Changes:
- Added Access-Control-Allow-Origin header with dynamic origin
- Added Access-Control-Allow-Methods for all needed HTTP methods
- Added Access-Control-Allow-Headers for Content-Type and Authorization
- Added Access-Control-Allow-Credentials for cookie support
- Added X-Forwarded-Proto header to pass HTTPS scheme to backend
- Implemented preflight OPTIONS request handling

This resolves "NetworkError when attempting to fetch resource" errors
in the browser by ensuring proper CORS handling at the nginx level.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 packages/web/nginx.conf | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/packages/web/nginx.conf b/packages/web/nginx.conf
index a4df7d6..8bdc48d 100644
--- a/packages/web/nginx.conf
+++ b/packages/web/nginx.conf
@@ -19,7 +19,30 @@ server {
         proxy_cache_bypass $http_upgrade;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Origin $http_origin;
         client_max_body_size 20M;
+
+        # Pass through CORS headers from API
+        proxy_hide_header Access-Control-Allow-Origin;
+        proxy_hide_header Access-Control-Allow-Methods;
+        proxy_hide_header Access-Control-Allow-Headers;
+        proxy_hide_header Access-Control-Allow-Credentials;
+        add_header Access-Control-Allow-Origin $http_origin always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
+        add_header Access-Control-Allow-Credentials "true" always;
+
+        # Handle preflight OPTIONS requests
+        if ($request_method = 'OPTIONS') {
+            add_header Access-Control-Allow-Origin $http_origin always;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Content-Length 0;
+            add_header Content-Type text/plain;
+            return 204;
+        }
     }
 
     # Proxy uploads requests to backend