From dbf5745c0e4342191a7029f109753ea6faa1ab01 Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Fri, 5 Dec 2025 15:30:12 +0100
Subject: [PATCH] fix(mana-core-auth): configure helmet for cross-origin
 requests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update helmet middleware to allow cross-origin resource policy and
opener policy for proper CORS functionality with frontend apps.

Also add debug logging for configured CORS origins.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 services/mana-core-auth/src/main.ts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/services/mana-core-auth/src/main.ts b/services/mana-core-auth/src/main.ts
index 3cd9fc4f0..8245fd05e 100644
--- a/services/mana-core-auth/src/main.ts
+++ b/services/mana-core-auth/src/main.ts
@@ -10,12 +10,18 @@ async function bootstrap() {
 
 	const configService = app.get(ConfigService);
 
-	// Security middleware
-	app.use(helmet());
+	// Security middleware - configure helmet to allow CORS
+	app.use(
+		helmet({
+			crossOriginResourcePolicy: { policy: 'cross-origin' },
+			crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+		})
+	);
 	app.use(cookieParser());
 
 	// CORS configuration
 	const corsOrigins = configService.get<string[]>('cors.origin') || [];
+	console.log('📋 CORS Origins configured:', corsOrigins);
 	app.enableCors({
 		origin: corsOrigins,
 		credentials: true,