refactor: move CORS config from global to route-specific locations in nginx.conf

nginx.conf

@@ -1,4 +1,3 @@
-# Main server block
 server {
     listen 80;
     server_name localhost;
@@ -9,12 +8,24 @@ server {
     gzip on;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
-    # Global CORS configuration
+    # DATA API ENDPOINTS - NO AUTHENTICATION
+    location ^~ /data/ {
+        auth_basic off;
+        proxy_pass http://localhost:3000/data/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # CORS headers
         add_header 'Access-Control-Allow-Origin' '*' always;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
         add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
 
-    # Global OPTIONS handler
+        # Preflight requests
         if ($request_method = 'OPTIONS') {
             add_header 'Access-Control-Allow-Origin' '*';
             add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
@@ -24,43 +35,39 @@ server {
             add_header 'Content-Length' 0;
             return 204;
         }
-    
-    # DATA API ENDPOINTS - NO AUTHENTICATION
-    # This location must be defined BEFORE the root location to take precedence
-    location ^~ /data/ {
-        # Explicitly disable authentication for data API
-        auth_basic off;
-        
-        # API Proxy configuration
-        proxy_pass http://localhost:3000/data/;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_cache_bypass $http_upgrade;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
 
     # AUTHENTICATED APPLICATION ROUTES
-    # This covers all routes except those specifically excluded above
     location / {
-        # Apply authentication
         include /etc/nginx/auth.conf;
-        
-        # Serve static files
         try_files $uri $uri/ /index.html;
+
+        # CORS headers
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
+
+        # Preflight requests
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
     }
 
     # Enable browser caching for static assets
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-        # Include authentication for static assets
         include /etc/nginx/auth.conf;
-        
         expires 30d;
         add_header Cache-Control "public, no-transform";
         add_header 'Access-Control-Allow-Origin' '*' always;
     }
+}
+
 
     # Error pages
     error_page 404 /index.html;