Add CORS testing documentation and HTML test page for Passkey Cross-Device Authentication

Introduce a comprehensive CORS testing guide in CORS_TEST_ANLEITUNG.md, detailing steps for testing OPTIONS and POST requests, along with expected responses. Additionally, add a new HTML test page (test-cors.html) to facilitate interactive testing of CORS headers and responses for the Passkey registration API. Update the server API to ensure proper CORS headers are set for Cross-Device Authentication, enhancing the overall testing and debugging process.

server/api/auth/register-passkey.post.js

@@ -11,12 +11,30 @@ import { assertPasswordNotPwned } from '../../utils/hibp.js'
 export default defineEventHandler(async (event) => {
   const requestStart = Date.now()
   const requestOrigin = getHeader(event, 'origin')
+  const { origin: webauthnOrigin } = getWebAuthnConfig()
   
   console.log('[DEBUG] register-passkey request received', {
     origin: requestOrigin,
+    webauthnOrigin,
     timestamp: new Date().toISOString()
   })
 
+  // CORS-Header für Cross-Device Authentication
+  const allowedOrigin = requestOrigin || webauthnOrigin
+  if (allowedOrigin) {
+    setHeader(event, 'Access-Control-Allow-Origin', allowedOrigin)
+    setHeader(event, 'Access-Control-Allow-Credentials', 'true')
+    setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS')
+    setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization, Origin, X-Requested-With')
+  }
+
+  // OPTIONS Preflight-Request
+  if (getMethod(event) === 'OPTIONS') {
+    console.log('[DEBUG] OPTIONS preflight request, returning 204')
+    setResponseStatus(event, 204)
+    return null
+  }
+
   const body = await readBody(event)
   const registrationId = String(body?.registrationId || '')
   const response = body?.credential