fix(api): add credentials header to cors error responses

fulleni · fulleni · commit 59297c55f817 · 2025-07-14T07:06:55.000+01:00
The errorHandler middleware was missing the `Access-Control-Allow-Credentials`
header in its CORS configuration. This caused browsers to block credentialed
requests (e.g., those with an Authorization header) that resulted in an
error, leading to a specific CORS failure.

This change adds the `Access-Control-Allow-Credentials: true` header to
all error responses when the origin is allowed, resolving the issue and
allowing the client to correctly read API error messages for authenticated
or credentialed requests.
diff --git a/lib/src/middlewares/error_handler.dart b/lib/src/middlewares/error_handler.dart
@@ -127,6 +127,7 @@ Response _jsonErrorResponse({
 
     if (isOriginAllowed) {
       headers[HttpHeaders.accessControlAllowOriginHeader] = requestOrigin;
+      headers[HttpHeaders.accessControlAllowCredentialsHeader] = 'true';
       headers[HttpHeaders.accessControlAllowMethodsHeader] =
           'GET, POST, PUT, DELETE, OPTIONS';
       headers[HttpHeaders.accessControlAllowHeadersHeader] =
