From 6f57e19c2aa069d287c50d2e55386e9fbe90af98 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 00:54:09 +0200
Subject: [PATCH] fix: add CORS middleware for admin console origin on default
 tenant

The admin console (port 3002) calls the Management API on the
default tenant (port 443). Add Traefik CORS headers to allow
cross-origin requests from the admin console origin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index cdaa4a7..8948c61 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -82,6 +82,11 @@ services:
       - traefik.http.routers.logto.priority=1
       - traefik.http.routers.logto.entrypoints=websecure
       - traefik.http.routers.logto.tls=true
+      - traefik.http.routers.logto.middlewares=logto-cors
+      - traefik.http.middlewares.logto-cors.headers.accessControlAllowOriginList=${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:3002
+      - traefik.http.middlewares.logto-cors.headers.accessControlAllowMethods=GET,POST,PUT,PATCH,DELETE,OPTIONS
+      - traefik.http.middlewares.logto-cors.headers.accessControlAllowHeaders=Authorization,Content-Type
+      - traefik.http.middlewares.logto-cors.headers.accessControlAllowCredentials=true
       - traefik.http.services.logto.loadbalancer.server.port=3001
       - traefik.http.routers.logto-console.rule=PathPrefix(`/`)
       - traefik.http.routers.logto-console.entrypoints=admin-console