cors fix

astro.config.mjs

@@ -4,5 +4,6 @@ import node from "@astrojs/node";
 
 export default defineConfig({
   output: "server",
+  security: { checkOrigin: false },
   adapter: node({ mode: "standalone" }),
 });

src/pages/api/game/[id]/complete.ts

@@ -1,11 +1,9 @@
 import type { APIRoute } from "astro";
 import { init, getGame, updateGame, getUser, updateUserStats, addRatingHistory, json } from "@utils/db";
-import { getUserFromRequest, checkOrigin } from "@utils/auth";
+import { getUserFromRequest } from "@utils/auth";
 import { calculateNewRatings } from "@utils/elo";
 
 export const POST: APIRoute = async ({ request, params }) => {
-  const blocked = checkOrigin(request);
-  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);

src/pages/api/game/[id]/index.ts

@@ -1,6 +1,6 @@
 import type { APIRoute } from "astro";
 import { init, getGame, updateGame, json } from "@utils/db";
-import { getUserFromRequest, checkOrigin } from "@utils/auth";
+import { getUserFromRequest } from "@utils/auth";
 
 export const GET: APIRoute = async ({ params }) => {
   await init();
@@ -11,8 +11,6 @@ export const GET: APIRoute = async ({ params }) => {
 
 // Join as player 2
 export const POST: APIRoute = async ({ request, params }) => {
-  const blocked = checkOrigin(request);
-  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);

src/pages/api/game/[id]/score.ts

@@ -1,10 +1,8 @@
 import type { APIRoute } from "astro";
 import { init, getGame, updateGame, json } from "@utils/db";
-import { getUserFromRequest, checkOrigin } from "@utils/auth";
+import { getUserFromRequest } from "@utils/auth";
 
 export const PATCH: APIRoute = async ({ request, params }) => {
-  const blocked = checkOrigin(request);
-  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);

src/pages/api/game/index.ts

@@ -1,6 +1,6 @@
 import type { APIRoute } from "astro";
 import { init, createGame, getRecentGames, json } from "@utils/db";
-import { getUserFromRequest, checkOrigin } from "@utils/auth";
+import { getUserFromRequest } from "@utils/auth";
 
 export const GET: APIRoute = async () => {
   await init();
@@ -9,8 +9,6 @@ export const GET: APIRoute = async () => {
 };
 
 export const POST: APIRoute = async ({ request }) => {
-  const blocked = checkOrigin(request);
-  if (blocked) return blocked;
   await init();
 
   const currentUser = getUserFromRequest(request);

src/utils/auth.ts

@@ -15,17 +15,6 @@ export function clearUserCookie(): string {
   return `klask_user=; Path=/; SameSite=Lax; Max-Age=0`;
 }
 
-export function checkOrigin(request: Request): Response | null {
-  const origin = request.headers.get("origin");
-  if (!origin) return null; // same-origin requests (non-browser) omit Origin
-  const requestUrl = new URL(request.url);
-  if (origin === requestUrl.origin) return null;
-  return new Response(JSON.stringify({ error: "Forbidden" }), {
-    status: 403,
-    headers: { "Content-Type": "application/json" },
-  });
-}
-
 export function validateName(name: string): string | null {
   const trimmed = name.trim();
   if (trimmed.length < 2) return "Name must be at least 2 characters";