From a316763aca88a18405a3c46bcb4e0e8d2a73445c Mon Sep 17 00:00:00 2001
From: Franz Kafka <kafka@ashisgreat.xyz>
Date: Sun, 22 Mar 2026 16:38:03 +0000
Subject: [PATCH] fix(test): update CORS preflight test for deny-all default

Empty CORSConfig now means no CORS headers, matching the security fix.
Test explicitly configures an origin to test preflight behavior.
---
 internal/middleware/cors_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/middleware/cors_test.go b/internal/middleware/cors_test.go
index 4f3f6c2..f24ed65 100644
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@@ -51,7 +51,7 @@ func TestCORS_SpecificOrigin(t *testing.T) {
 }
 
 func TestCORS_Preflight(t *testing.T) {
-	h := CORS(CORSConfig{})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	h := CORS(CORSConfig{AllowedOrigins: []string{"https://example.com"}})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t.Error("handler should not be called for preflight")
 	}))
 
@@ -100,6 +100,7 @@ func TestCORS_CustomMethodsAndHeaders(t *testing.T) {
 	})(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
 
 	req := httptest.NewRequest("OPTIONS", "/search", nil)
+	req.Header.Set("Origin", "https://example.com")
 	rec := httptest.NewRecorder()
 	h.ServeHTTP(rec, req)