From 634f99240f8c628225c8d62213fc47b90787c8d3 Mon Sep 17 00:00:00 2001
From: CodingPhoenixx <codingphoenix@coph.dev>
Date: Mon, 16 Feb 2026 21:37:35 +0100
Subject: [PATCH] Configure CORS for web server and secure refresh token with
 HTTP-only cookies

---
 src/main/java/dev/coph/flightscore/backend/Backend.java       | 4 ++++
 .../backend/requestHandler/auth/LoginRequestHandler.java      | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/main/java/dev/coph/flightscore/backend/Backend.java b/src/main/java/dev/coph/flightscore/backend/Backend.java
index 415f767..7ce8927 100644
--- a/src/main/java/dev/coph/flightscore/backend/Backend.java
+++ b/src/main/java/dev/coph/flightscore/backend/Backend.java
@@ -93,6 +93,10 @@ public class Backend {
         providerManager.enableAllProviders();
         logger.success("Providers enabled!");
 
+        logger.info("Configuring web server...");
+        webServer.addAllowedOrigin("http://localhost:3000");
+        logger.success("Web server configured!");
+
         logger.info("Starting web server...");
         webServer.start();
         logger.success("Web server started!");
diff --git a/src/main/java/dev/coph/flightscore/backend/requestHandler/auth/LoginRequestHandler.java b/src/main/java/dev/coph/flightscore/backend/requestHandler/auth/LoginRequestHandler.java
index ab3a83a..3e483d6 100644
--- a/src/main/java/dev/coph/flightscore/backend/requestHandler/auth/LoginRequestHandler.java
+++ b/src/main/java/dev/coph/flightscore/backend/requestHandler/auth/LoginRequestHandler.java
@@ -8,6 +8,7 @@ import dev.coph.simplerequest.handler.RequestHandler;
 import dev.coph.simplerequest.handler.RequestMethod;
 import dev.coph.simplerequest.util.ResponseUtil;
 import lombok.extern.slf4j.Slf4j;
+import org.eclipse.jetty.http.HttpCookie;
 import org.eclipse.jetty.http.HttpStatus;
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.util.Callback;
@@ -60,8 +61,7 @@ public class LoginRequestHandler {
         var responseObject = new JSONObject();
 
         responseObject.put("accessToken", loginResponse.accessToken());
-        responseObject.put("refreshToken", loginResponse.refreshToken());
-
+        Response.addCookie(response, HttpCookie.build("refreshToken", loginResponse.refreshToken()).httpOnly(true).build());
         ResponseUtil.writeSuccessfulAnswer(response, callback, responseObject);
     }
 }