feat: Enhance API subdomain configuration and add track endpoint with CORS support (#24)

Author: dev-bre

Caddyfile

@@ -1,4 +1,74 @@
-# Replace with your domain
+# API Subdomain - handles tracking and API routes
+{$API_DOMAIN:api.localhost} {
+    # Logging
+    log {
+        output file /var/log/caddy/api-access.log
+        level INFO
+    }
+
+    # Security headers
+    header {
+        # Enable HSTS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Prevent XSS attacks
+        X-XSS-Protection "1; mode=block"
+        # Prevent MIME type sniffing
+        X-Content-Type-Options "nosniff"
+        # Referrer policy
+        Referrer-Policy "strict-origin-when-cross-origin"
+        # Remove Server header
+        -Server
+    }
+
+    # CORS headers for API subdomain
+    @options {
+        method OPTIONS
+    }
+    handle @options {
+        header {
+            Access-Control-Allow-Origin "*"
+            Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, PATCH"
+            Access-Control-Allow-Headers "Accept, Authorization, Content-Type, X-Api-Key"
+            Access-Control-Max-Age "3600"
+        }
+        respond 204
+    }
+
+    # Health check endpoint
+    handle /health {
+        reverse_proxy app:4000 {
+            header_up Host {host}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Track endpoint - public API
+    handle /track {
+        reverse_proxy app:4000 {
+            header_up Host {host}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Authenticated API routes
+    handle /api/* {
+        reverse_proxy app:4000 {
+            header_up Host {host}
+            header_up X-Real-IP {remote_host}
+            header_up X-Forwarded-For {remote_host}
+            header_up X-Forwarded-Proto {scheme}
+        }
+    }
+
+    # Enable gzip compression
+    encode gzip zstd
+}
+
+# Main Domain - serves frontend and auth
 {$DOMAIN:localhost} {
     # Logging
     log {

internal/server/routes.go

@@ -23,9 +23,9 @@ func (s *Server) RegisterRouter() http.Handler {
 	router := gin.Default()
 
 	router.Use(cors.New(cors.Config{
-		AllowOrigins:     []string{"http://localhost:4000", "https://trakrlog.com", "https://www.trakrlog.com"}, // Add your frontend URL
+		AllowOrigins:     []string{"http://localhost:4000", "https://trakrlog.com", "https://www.trakrlog.com", "https://api.trakrlog.com"}, // Add your frontend URL
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"},
-		AllowHeaders:     []string{"Accept", "Authorization", "Content-Type"},
+		AllowHeaders:     []string{"Accept", "Authorization", "Content-Type", "X-API-KEY"},
 		AllowCredentials: true, // Enable cookies/auth
 	}))
 
@@ -88,6 +88,14 @@ func (s *Server) RegisterRouter() http.Handler {
 		api.DELETE("/events/:id", eventHandler.DeleteEvent)
 	}
 
+	// Track endpoint - supports both /track and /api/track for backwards compatibility
+	track := router.Group("/track")
+	track.Use(middleware.RequireAuthApiKey(s.userService))
+	{
+		track.POST("/", handler.NewEventHandler(s.eventService).CreateEvent)
+	}
+
+	// Legacy endpoint - keeping for backwards compatibility
 	apiTrack := router.Group("/api/track")
 	apiTrack.Use(middleware.RequireAuthApiKey(s.userService))
 	{