fix: handle CORS preflight before authentication

[TheSanjBot]

What

Handle CORS preflight requests before authentication runs.

Browsers dont send authentication cookies with preflight OPTIONS requests, so routes could fail before CORS headers were added. This caused the block

This keeps the change narrow by returning early only for real preflight requests: OPTIONS requests with both Origin and Access-Control-Request-Method headers.

Added a regression test for a facet preflight request.

Large Language Models usage disclosure

Used ChatGPT to understand the CORS code paths

Related issue(s) and discussion

• Fixes: CORS Preflight (OPTIONS) fails with 503 when authentication is required #13555

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.43%. Comparing base (f11c7f3) to head (9ebc82e).
⚠️ Report is 33 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13573      +/-   ##
==========================================
+ Coverage   49.21%   54.43%   +5.21%     
==========================================
  Files          97       98       +1     
  Lines       25555    25613      +58     
  Branches     6105     6114       +9     
==========================================
+ Hits        12578    13942    +1364     
+ Misses      11346     9870    -1476     
- Partials     1631     1801     +170     

Flag	Coverage Δ
integration-test-group-1	8.94% <ø> (?)
integration-test-group-2	9.11% <ø> (?)
integration-test-group-3	32.83% <ø> (?)
integration-test-group-4	28.53% <ø> (?)
integration-test-group-6	9.47% <ø> (?)
integration-test-group-7	27.66% <ø> (?)
integration-test-group-8	26.36% <ø> (?)
integration-test-group-9	12.92% <ø> (?)
unit-test-group-1	24.63% <ø> (ø)
unit-test-group-2	34.31% <ø> (ø)
unit-test-group-3	23.33% <ø> (ø)
unit-test-group-4	30.14% <ø> (ø)
unit-test-group-5	15.77% <ø> (ø)
unit-test-group-6	27.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[alexgarel]

LGTM, thanks !

[alexgarel]

Thanks @TheSanjBot ! Really cool.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud