From 9e9c5fb71e1a345bfa501fcc1b53fae6243b044c Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 16:28:38 +0800
Subject: [PATCH 1/3] caddy CORS

---
 caddy/Caddyfile.local | 13 +++++++++++++
 caddy/Caddyfile.prod  | 12 ++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index 0a9cf6ff..e07d8c9a 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -13,6 +13,19 @@
 		format console
 	}
 
+	header {
+		Access-Control-Allow-Origin "http://localhost:5173" # allows the Vue app (running on localhost:5173) to make requests.
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" # Specifies which methods are allowed.
+		Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent" # allows the custom headers needed by the API.
+    }
+
+	# This handles the browser's "preflight" OPTIONS request.
+	@preflight {
+		method OPTIONS
+	}
+
+	respond @preflight 204
+
 	# Reverse proxy all incoming requests to the 'api' service.
 	# 	- The service name 'api' is resolved by Docker's internal DNS to the correct container IP on the 'caddy_net' network.
 	# 	- The API container listens on port 8080 (from the ENV_HTTP_PORT).
diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index fb18f704..6035ea44 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -31,6 +31,18 @@ oullin.io {
 	#	- header_up: Preserve the original Host header.
 	#	- header_up X-*: Forward the client headers.
 	handle_path /api/* {
+		header {
+			Access-Control-Allow-Origin "https://oullin.io"
+			Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+			Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+		}
+
+		@preflight {
+			method OPTIONS
+		}
+
+		respond @preflight 204
+
 		reverse_proxy api:8080 {
 			header_up Host {host}
 			header_up X-API-Username {http.request.header.X-API-Username}

From be2bbbf74e8928d26118b6964d6aed1a06cec419 Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 16:30:10 +0800
Subject: [PATCH 2/3] format

---
 caddy/Caddyfile.local | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index e07d8c9a..47b36b95 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -17,7 +17,7 @@
 		Access-Control-Allow-Origin "http://localhost:5173" # allows the Vue app (running on localhost:5173) to make requests.
 		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" # Specifies which methods are allowed.
 		Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent" # allows the custom headers needed by the API.
-    }
+	}
 
 	# This handles the browser's "preflight" OPTIONS request.
 	@preflight {

From a77fef466178a821adce841dc308868d4ec0d5c1 Mon Sep 17 00:00:00 2001
From: Gustavo Ocanto <gustavoocanto@gmail.com>
Date: Wed, 23 Jul 2025 17:01:26 +0800
Subject: [PATCH 3/3] narrow preflight

---
 caddy/Caddyfile.local | 10 +++++++++-
 caddy/Caddyfile.prod  | 10 +++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/caddy/Caddyfile.local b/caddy/Caddyfile.local
index 47b36b95..b2013e35 100644
--- a/caddy/Caddyfile.local
+++ b/caddy/Caddyfile.local
@@ -22,9 +22,17 @@
 	# This handles the browser's "preflight" OPTIONS request.
 	@preflight {
 		method OPTIONS
+		header Origin *
 	}
 
-	respond @preflight 204
+	handle @preflight {
+		# Reflect the Origin back so it's always allowed
+		header Access-Control-Allow-Origin "{http.request.header.Origin}"
+		header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+		header Access-Control-Max-Age "86400"
+		respond 204
+	}
 
 	# Reverse proxy all incoming requests to the 'api' service.
 	# 	- The service name 'api' is resolved by Docker's internal DNS to the correct container IP on the 'caddy_net' network.
diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
index 6035ea44..07a90b9e 100644
--- a/caddy/Caddyfile.prod
+++ b/caddy/Caddyfile.prod
@@ -39,9 +39,17 @@ oullin.io {
 
 		@preflight {
 			method OPTIONS
+			header Origin *
 		}
 
-		respond @preflight 204
+		handle @preflight {
+			# Reflect the Origin back so it's always allowed
+			header Access-Control-Allow-Origin "{http.request.header.Origin}"
+			header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+			header Access-Control-Allow-Headers "X-API-Key, X-API-Username, X-API-Signature, Content-Type, User-Agent"
+			header Access-Control-Max-Age "86400"
+			respond 204
+		}
 
 		reverse_proxy api:8080 {
 			header_up Host {host}