From d72dda9cea8f79858cde6ff4bd9f990236e0e0cd Mon Sep 17 00:00:00 2001
From: Ghvst <impoissants@gmail.com>
Date: Sat, 28 Mar 2026 19:52:45 +0100
Subject: [PATCH] fix(server): remove wide-open CORS middleware

Remove the unconfigured `cors()` middleware that was setting
`Access-Control-Allow-Origin: *` on all routes, allowing any website
to make cross-origin requests to the server.

CORS is unnecessary for this server because:
- The primary client is the Tauri desktop app, which doesn't use
  browser fetch and is unaffected by CORS
- The auth callback HTML page is served directly by the server
  itself (same-origin), so no cross-origin access is needed
- The /health and /metrics endpoints have no legitimate browser
  cross-origin consumers

Removing CORS entirely is the most secure option. If cross-origin
browser access is needed in the future, CORS can be re-added with
an explicit origin allowlist.

SUSTN-Task: 950c7bb2-9bba-4e03-9319-4a5b88c71b54
---
 server/src/index.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/server/src/index.ts b/server/src/index.ts
index a922882..139692f 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -1,5 +1,4 @@
 import { Hono } from "hono";
-import { cors } from "hono/cors";
 import { logger } from "hono/logger";
 import type { Bindings } from "./lib/config.js";
 import { auth } from "./routes/auth.js";
@@ -9,7 +8,6 @@ import { metrics } from "./routes/metrics.js";
 const app = new Hono<{ Bindings: Bindings }>();
 
 app.use("*", logger());
-app.use("*", cors());
 
 app.route("/", auth);
 app.route("/", health);