From 895cd5cc3956d6220cf113f536fb952127a7aa21 Mon Sep 17 00:00:00 2001
From: Adam Shiervani <adam.shiervani@gmail.com>
Date: Tue, 14 Oct 2025 16:17:43 +0200
Subject: [PATCH] feat: add CORS support for device status endpoint

---
 web.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/web.go b/web.go
index 45253579..0fd968b8 100644
--- a/web.go
+++ b/web.go
@@ -725,6 +725,18 @@ func handleDeletePassword(c *gin.Context) {
 }
 
 func handleDeviceStatus(c *gin.Context) {
+	// Add CORS headers to allow cross-origin requests
+	// This is safe because device/status is a public endpoint
+	c.Header("Access-Control-Allow-Origin", "*")
+	c.Header("Access-Control-Allow-Methods", "GET, OPTIONS")
+	c.Header("Access-Control-Allow-Headers", "Content-Type")
+
+	// Handle preflight requests
+	if c.Request.Method == "OPTIONS" {
+		c.AbortWithStatus(http.StatusNoContent)
+		return
+	}
+
 	response := DeviceStatus{
 		IsSetup: config.LocalAuthMode != "",
 	}