THE CORS PREFLIGHT TRAP - solved by Gemini consultation.
ROOT CAUSE:
- Browser sends OPTIONS request BEFORE POST (CORS preflight)
- We only had cors() on router.post(), not router.options()
- Express had no OPTIONS handler, ignored CORS middleware
- Browser got response without Access-Control-Allow-Origin header
- Result: CORS error, POST request never sent
THE FIX (one line):
router.options('/create-checkout-session', cors(corsOptions));
This tells Express: 'When browser asks permission (OPTIONS),
say YES using CORS middleware.'
GEMINI INSIGHTS:
- fetch() with Content-Type triggers 'complex request' preflight
- OPTIONS request must be explicitly handled
- Added Cloudflare Pages preview domain to allowed origins
FILES MODIFIED:
- services/arbiter-3.0/src/routes/stripe.js (+4 lines)
DEPLOYMENT:
Copy to /opt/arbiter-3.0/src/routes/stripe.js and restart service
Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>
543167fbce