From 7a2b6fccec2899d0f26ce267bdd6f42732d5ef3a Mon Sep 17 00:00:00 2001
From: Michael Bryzek <mbryzek@alum.mit.edu>
Date: Mon, 2 Mar 2026 18:48:51 -0500
Subject: [PATCH 1/2] Fix CORS config: remove duplicate and move localhost to
 dev only

- Remove duplicate play.filters.cors.allowedHttpMethods line
- Move http://localhost:5173 from base.conf to devandtest.conf so
  localhost origin is not allowed in production

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 api/conf/base.conf       | 6 +-----
 api/conf/devandtest.conf | 6 ++++++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/api/conf/base.conf b/api/conf/base.conf
index 37f99d178..55fdd8fcf 100644
--- a/api/conf/base.conf
+++ b/api/conf/base.conf
@@ -11,14 +11,10 @@ evolutionplugin=disabled
 
 play.filters.cors.preflightMaxAge = 3 days
 play.filters.cors.allowedHttpMethods = ["DELETE", "GET", "PATCH", "POST", "PUT", "OPTIONS"]
-play.filters.cors.allowedHttpMethods = ["DELETE", "GET", "PATCH", "POST", "PUT", "OPTIONS"]
 play.filters.cors.allowedOrigins = [
   "https://app.apibuilder.io",
-  "https://app.apibuilder.org",
-  "http://localhost:5173"
+  "https://app.apibuilder.org"
 ]
-
-
 play.http.errorHandler = "io.apicollective.play.ErrorHandler"
 play.http.filters = "io.apicollective.play.LoggingFilter"
 play.http.parser.maxMemoryBuffer=10M
diff --git a/api/conf/devandtest.conf b/api/conf/devandtest.conf
index 445106913..f1255527e 100644
--- a/api/conf/devandtest.conf
+++ b/api/conf/devandtest.conf
@@ -9,3 +9,9 @@ play.http.secret.key="development:uauTKwTxIpP4dWJA53s1ekGwpPdVfUmdCmSMgxa4"
 
 mail.localDeliveryDir="/tmp/email.apibuilder"
 
+play.filters.cors.allowedOrigins = [
+  "https://app.apibuilder.io",
+  "https://app.apibuilder.org",
+  "http://localhost:5173"
+]
+

From cfbb474ddad6cf962858155fabd2efdedd06e6e8 Mon Sep 17 00:00:00 2001
From: Michael Bryzek <mbryzek@alum.mit.edu>
Date: Mon, 2 Mar 2026 19:11:07 -0500
Subject: [PATCH 2/2] Use HOCON list append for localhost CORS origin in
 devandtest

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 api/conf/devandtest.conf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/api/conf/devandtest.conf b/api/conf/devandtest.conf
index f1255527e..6e98a539c 100644
--- a/api/conf/devandtest.conf
+++ b/api/conf/devandtest.conf
@@ -9,9 +9,5 @@ play.http.secret.key="development:uauTKwTxIpP4dWJA53s1ekGwpPdVfUmdCmSMgxa4"
 
 mail.localDeliveryDir="/tmp/email.apibuilder"
 
-play.filters.cors.allowedOrigins = [
-  "https://app.apibuilder.io",
-  "https://app.apibuilder.org",
-  "http://localhost:5173"
-]
+play.filters.cors.allowedOrigins += ["http://localhost:5173"]