From d0f41920f7f4cc7a4c8045287fd777b0df6af623 Mon Sep 17 00:00:00 2001
From: silverpro89 <nguyentrungkien89@gmail.com>
Date: Tue, 24 Feb 2026 14:35:32 +0700
Subject: [PATCH] update CORS

---
 app.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 992bc95..9d08327 100644
--- a/app.js
+++ b/app.js
@@ -69,8 +69,15 @@ app.use(helmet({
   },
 }));
 app.use(cors({
-  origin: config.cors.origin,
+  origin: (origin, callback) => {
+    // Allow requests with no origin (mobile apps, Postman, server-to-server)
+    if (!origin) return callback(null, true);
+    // Allow all origins but still support credentials
+    return callback(null, true);
+  },
   credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
 }));
 
 /**