From 1eb87815504973b4fb8676e44f658b3f1948b0fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20B=C3=B6sche?= <leonboesche1999@gmail.com>
Date: Thu, 8 Jan 2026 21:32:34 +0100
Subject: [PATCH] Add CORS middleware to handle browser preflight requests

---
 go_cloud/internal/http/routes.go           |  1 +
 go_cloud/internal/middleware/middleware.go | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/go_cloud/internal/http/routes.go b/go_cloud/internal/http/routes.go
index e963030..2184e33 100644
--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -27,6 +27,7 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logger)
 	r.Use(middleware.Recoverer)
+	r.Use(middleware.CORS)
 	r.Use(middleware.RateLimit)
 
 	// Health check
diff --git a/go_cloud/internal/middleware/middleware.go b/go_cloud/internal/middleware/middleware.go
index c64d235..91dcbb2 100644
--- a/go_cloud/internal/middleware/middleware.go
+++ b/go_cloud/internal/middleware/middleware.go
@@ -21,6 +21,23 @@ var RequestID = middleware.RequestID
 var Logger = middleware.Logger
 var Recoverer = middleware.Recoverer
 
+// CORS middleware
+func CORS(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+		w.Header().Set("Access-Control-Max-Age", "3600")
+
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
 // TODO: Implement rate limiter
 var RateLimit = func(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {