From 4e0f729ec8f7fc94474c57d939d7b2dce073da86 Mon Sep 17 00:00:00 2001
From: faisolavolut <faisol@avolut.com>
Date: Tue, 11 Nov 2025 11:07:57 +0700
Subject: [PATCH] fix: update CORS middleware to include OPTIONS method for
 public API endpoints

---
 src/app.ts | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index cd128d2..a62a1aa 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -25,12 +25,6 @@ const CORS_CACHE_TTL_MS =
   Number(process.env.CORS_CACHE_TTL_MS) || 5 * 60 * 1000;
 
 app.use((req, res, next) => {
-  const publicCorsOptions = {
-    origin: "*",
-    methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
-    credentials: false, // must be false when origin is "*"
-  };
-  return (cors(publicCorsOptions) as any)(req, res, next);
   // Check if this is a public API endpoint that should allow any origin
   const isPublicAPIEndpoint =
     req.path.match(/^\/[^\/]+\/transfer-va\/(inquiry|payment)$/) ||
@@ -40,7 +34,7 @@ app.use((req, res, next) => {
     // Allow any origin for public API endpoints
     const publicCorsOptions = {
       origin: "*",
-      methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
+      methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE", "OPTIONS"],
       credentials: false, // must be false when origin is "*"
     };
     return (cors(publicCorsOptions) as any)(req, res, next);
@@ -81,7 +75,7 @@ app.use((req, res, next) => {
         }
       })();
     },
-    methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
+    methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE", "OPTIONS"],
     // Do not set a fixed `allowedHeaders` list so the CORS middleware will
     // reflect the browser's requested headers (Access-Control-Request-Headers).
     // This effectively allows the browser to send any header. Keep credentials