From 96b150e3e9721650241f31210f8eb1e989084174 Mon Sep 17 00:00:00 2001
From: Robert Field <robertfield@quadrimular.com>
Date: Fri, 30 Jan 2026 17:47:41 +0000
Subject: [PATCH] fix: CORS header wildcard and missing endpoints

- Replace allowedHeaders: "*" with explicit list
  (wildcards don't work with credentials: true)
- Add cmCors to /api/v1/settings/apitokens endpoints
- Add cmCors to /api/v1/hosts endpoints
- Add preflight handlers for new endpoints
---
 platform/wab/src/wab/server/AppServer.ts | 18 +++++++++++++++---
 platform/wab/src/wab/server/cm-cors.ts   | 12 +++++++++++-
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/platform/wab/src/wab/server/AppServer.ts b/platform/wab/src/wab/server/AppServer.ts
index 1ca01d1f8..81bfcb931 100644
--- a/platform/wab/src/wab/server/AppServer.ts
+++ b/platform/wab/src/wab/server/AppServer.ts
@@ -723,6 +723,10 @@ function addOptionsRoutes(app: express.Application) {
   app.options("/api/v1/projects", cmCorsPreflight());
   app.options("/api/v1/projects/*", cmCorsPreflight());
   app.options("/api/v1/cmse/*", cmCorsPreflight());
+  app.options("/api/v1/settings/apitokens", cmCorsPreflight());
+  app.options("/api/v1/settings/apitokens/*", cmCorsPreflight());
+  app.options("/api/v1/hosts", cmCorsPreflight());
+  app.options("/api/v1/hosts/*", cmCorsPreflight());
 }
 
 export function addCmsPublicRoutes(app: express.Application) {
@@ -1726,14 +1730,20 @@ export function addMainAppServerRoutes(
   app.get("/api/v1/clip/:clipId", getClip);
   app.put("/api/v1/clip/:clipId", withNext(putClip));
 
-  app.get("/api/v1/settings/apitokens", apiTokenRoutes.listTokens);
-  app.put("/api/v1/settings/apitokens", withNext(apiTokenRoutes.createToken));
+  app.get("/api/v1/settings/apitokens", cmCors, apiTokenRoutes.listTokens);
+  app.put(
+    "/api/v1/settings/apitokens",
+    cmCors,
+    withNext(apiTokenRoutes.createToken)
+  );
   app.delete(
     "/api/v1/settings/apitokens/:token",
+    cmCors,
     withNext(apiTokenRoutes.revokeToken)
   );
   app.put(
     "/api/v1/settings/apitokens/emit/:initToken",
+    cmCors,
     withNext(apiTokenRoutes.emitToken)
   );
 
@@ -1806,15 +1816,17 @@ export function addMainAppServerRoutes(
    */
   app.get(
     "/api/v1/hosts",
+    cmCors,
     safeCast<RequestHandler>(authRoutes.teamApiUserAuth),
     getTrustedHostsForSelf
   );
   app.post(
     "/api/v1/hosts",
+    cmCors,
     safeCast<RequestHandler>(authRoutes.teamApiUserAuth),
     withNext(addTrustedHost)
   );
-  app.delete("/api/v1/hosts/:trustedHostId", withNext(deleteTrustedHost));
+  app.delete("/api/v1/hosts/:trustedHostId", cmCors, withNext(deleteTrustedHost));
 
   app.post(
     "/api/v1/image/upload",
diff --git a/platform/wab/src/wab/server/cm-cors.ts b/platform/wab/src/wab/server/cm-cors.ts
index a275aaf87..a61a44f06 100644
--- a/platform/wab/src/wab/server/cm-cors.ts
+++ b/platform/wab/src/wab/server/cm-cors.ts
@@ -41,7 +41,17 @@ export function cmCorsPreflight() {
   const corsHandler = cors({
     ...cmCorsOptions,
     maxAge: 30 * 24 * 60 * 60,
-    allowedHeaders: "*",
+    // Must explicitly list headers - wildcards don't work with credentials: true
+    allowedHeaders: [
+      "Content-Type",
+      "Authorization",
+      "X-CSRF-Token",
+      "X-Requested-With",
+      "Accept",
+      "Origin",
+      "Cache-Control",
+      "Pragma",
+    ],
   });
 
   const handler: express.RequestHandler = safeCast<RequestHandler>(