From f0e86e6e6a7b82fbc0e543c259be3027c48ad606 Mon Sep 17 00:00:00 2001
From: Robert Field <robertfield@quadrimular.com>
Date: Fri, 30 Jan 2026 18:32:48 +0000
Subject: [PATCH] fix: Add CORS to templates and workspaces endpoints

Add cmCors middleware to remaining endpoints from OpenAPI spec:
- /api/v1/templates/:projectId/clone (POST)
- /api/v1/workspaces (GET, POST)
- /api/v1/workspaces/:workspaceId (GET, PUT, DELETE)
- /api/v1/personal-workspace (GET)

Add preflight handlers for templates, workspaces, personal-workspace.
---
 platform/wab/src/wab/server/AppServer.ts | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/platform/wab/src/wab/server/AppServer.ts b/platform/wab/src/wab/server/AppServer.ts
index 81bfcb931..740d91b6a 100644
--- a/platform/wab/src/wab/server/AppServer.ts
+++ b/platform/wab/src/wab/server/AppServer.ts
@@ -727,6 +727,10 @@ function addOptionsRoutes(app: express.Application) {
   app.options("/api/v1/settings/apitokens/*", cmCorsPreflight());
   app.options("/api/v1/hosts", cmCorsPreflight());
   app.options("/api/v1/hosts/*", cmCorsPreflight());
+  app.options("/api/v1/templates/*", cmCorsPreflight());
+  app.options("/api/v1/workspaces", cmCorsPreflight());
+  app.options("/api/v1/workspaces/*", cmCorsPreflight());
+  app.options("/api/v1/personal-workspace", cmCorsPreflight());
 }
 
 export function addCmsPublicRoutes(app: express.Application) {
@@ -1514,6 +1518,7 @@ export function addMainAppServerRoutes(
   app.post("/api/v1/projects/:projectId/clone", cmCors, withNext(cloneProject));
   app.post(
     "/api/v1/templates/:projectId/clone",
+    cmCors,
     safeCast<RequestHandler>(authRoutes.teamApiUserAuth),
     withNext(clonePublishedTemplate)
   );
@@ -1680,20 +1685,23 @@ export function addMainAppServerRoutes(
    */
   app.post(
     "/api/v1/workspaces",
+    cmCors,
     safeCast<RequestHandler>(authRoutes.teamApiUserAuth),
     createWorkspace
   );
-  app.get("/api/v1/workspaces/:workspaceId", getWorkspace);
-  app.get("/api/v1/personal-workspace", getPersonalWorkspace);
-  app.put("/api/v1/workspaces/:workspaceId", updateWorkspace);
+  app.get("/api/v1/workspaces/:workspaceId", cmCors, getWorkspace);
+  app.get("/api/v1/personal-workspace", cmCors, getPersonalWorkspace);
+  app.put("/api/v1/workspaces/:workspaceId", cmCors, updateWorkspace);
   app.delete(
     "/api/v1/workspaces/:workspaceId",
+    cmCors,
     safeCast<RequestHandler>(authRoutes.teamApiUserAuth),
     withNext(deleteWorkspace)
   );
 
   app.get(
     "/api/v1/workspaces",
+    cmCors,
     safeCast<RequestHandler>(authRoutes.teamApiUserAuth),
     withNext(getWorkspaces)
   );