fix(api): allow CORS preflight for stats export (#1601)

Author: riderx

supabase/functions/_backend/private/stats.ts

@@ -73,7 +73,9 @@ const exportSchema = z.object({
 
 export const app = new Hono<MiddlewareKeyVariables>()
 
-app.use('/', useCors)
+// Browser clients call this endpoint and require CORS preflight (OPTIONS).
+// Use '*' so it also applies to sub-routes like '/export'.
+app.use('*', useCors)
 
 app.post('/', middlewareV2(['read', 'write', 'all', 'upload']), async (c) => {
   const body = await parseBody<DataStats>(c)

tests/stats-export-cors.test.ts

@@ -0,0 +1,21 @@
+import { describe, expect, it } from 'vitest'
+
+import { app } from '../supabase/functions/_backend/private/stats.ts'
+
+describe('[OPTIONS] /private/stats/export', () => {
+  it('responds to CORS preflight', async () => {
+    const res = await app.request('http://local/export', {
+      method: 'OPTIONS',
+      headers: {
+        'origin': 'http://localhost:5173',
+        'access-control-request-method': 'POST',
+        'access-control-request-headers': 'content-type,authorization',
+      },
+    })
+
+    expect(res.status).toBe(204)
+    expect(res.headers.get('access-control-allow-origin')).toBe('*')
+    expect(res.headers.get('access-control-allow-methods')).toContain('OPTIONS')
+    expect(res.headers.get('access-control-allow-headers')?.toLowerCase()).toContain('authorization')
+  })
+})