From e7e9d7815cf88faceb747ef74bd2104cbeadbe02 Mon Sep 17 00:00:00 2001 From: "Torsten Schulz (local)" Date: Wed, 7 Jan 2026 21:02:58 +0100 Subject: [PATCH] Refactor CORS header handling in authentication endpoints Update the CORS header variable name from 'origin' to 'requestOrigin' in both login and registration API endpoints for improved clarity and consistency. This change enhances the readability of the code while maintaining support for cross-device authentication. --- server/api/auth/passkeys/login.post.js | 6 +++--- server/api/auth/passkeys/register.post.js | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/server/api/auth/passkeys/login.post.js b/server/api/auth/passkeys/login.post.js index 8295077..71b90c1 100644 --- a/server/api/auth/passkeys/login.post.js +++ b/server/api/auth/passkeys/login.post.js @@ -19,9 +19,9 @@ function findUserByCredentialId(users, credentialId) { export default defineEventHandler(async (event) => { // CORS-Header für Cross-Device Authentication - const origin = getHeader(event, 'origin') - if (origin) { - setHeader(event, 'Access-Control-Allow-Origin', origin) + const requestOrigin = getHeader(event, 'origin') + if (requestOrigin) { + setHeader(event, 'Access-Control-Allow-Origin', requestOrigin) setHeader(event, 'Access-Control-Allow-Credentials', 'true') setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS') setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization') diff --git a/server/api/auth/passkeys/register.post.js b/server/api/auth/passkeys/register.post.js index 4ebc0ee..534b296 100644 --- a/server/api/auth/passkeys/register.post.js +++ b/server/api/auth/passkeys/register.post.js @@ -7,9 +7,9 @@ import { writeAuditLog } from '../../../utils/audit-log.js' export default defineEventHandler(async (event) => { // CORS-Header für Cross-Device Authentication - const origin = getHeader(event, 'origin') - if (origin) { - setHeader(event, 'Access-Control-Allow-Origin', origin) + const requestOrigin = getHeader(event, 'origin') + if (requestOrigin) { + setHeader(event, 'Access-Control-Allow-Origin', requestOrigin) setHeader(event, 'Access-Control-Allow-Credentials', 'true') setHeader(event, 'Access-Control-Allow-Methods', 'POST, OPTIONS') setHeader(event, 'Access-Control-Allow-Headers', 'Content-Type, Authorization')