Add CORS policy.

Marechai.Server/Program.cs

@@ -209,6 +209,28 @@ file class Program
 
         builder.Services.AddScoped<TokenService, TokenService>();
 
+        // Read allowed CORS origins from configuration
+        string[] allowedOrigins = builder.Configuration.GetSection("CORS:AllowedOrigins").Get<string[]>();
+
+        builder.Services.AddCors(options =>
+        {
+            options.AddPolicy("AllowFrontend",
+                              policy =>
+                              {
+                                  switch(allowedOrigins)
+                                  {
+                                      case ["*"]:
+                                          policy.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod();
+
+                                          break;
+                                      case { Length: > 0 }:
+                                          policy.WithOrigins(allowedOrigins).AllowAnyHeader().AllowAnyMethod();
+
+                                          break;
+                                  }
+                              });
+        });
+
         WebApplication app = builder.Build();
 
         // Configure the HTTP request pipeline.
@@ -216,6 +238,9 @@ file class Program
 
         app.UseHttpsRedirection();
 
+        // Use CORS before authentication/authorization
+        app.UseCors("AllowFrontend");
+
         app.UseAuthentication();
         app.UseAuthorization();
 

Marechai.Server/appsettings.json

@@ -10,6 +10,11 @@
     }
   },
   "AllowedHosts":      "*",
+  "CORS":              {
+    "AllowedOrigins": [
+      "*"
+    ]
+  },
   "MarechaiRoles":     [
     {
       "Name":        "UberAdmin",