From 9eb3a63e9046d0adde05ce0f4886c67d3d37b5a1 Mon Sep 17 00:00:00 2001 From: Esdras Renan Date: Tue, 14 Oct 2025 20:57:31 -0300 Subject: [PATCH] CORS: enable credentials for allowed origins (fix cookies set from WebView) --- src/server/cors.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/server/cors.ts b/src/server/cors.ts index 2846563..fb18c6e 100644 --- a/src/server/cors.ts +++ b/src/server/cors.ts @@ -22,6 +22,10 @@ export function applyCorsHeaders(response: NextResponse, origin: string | null, response.headers.set("Access-Control-Allow-Origin", resolvedOrigin) response.headers.set("Access-Control-Allow-Methods", methods) response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization") + // Permite envio/recebimento de cookies em requisições cross-origin (ex.: WebView -> domínio HTTPS) + if (resolvedOrigin !== "*") { + response.headers.set("Access-Control-Allow-Credentials", "true") + } response.headers.set("Access-Control-Max-Age", "86400") response.headers.set("Vary", "Origin") return response