Merge branch 'dev'

api/src/main/java/fr/gameovergne/api/config/SecurityConfig.java

@@ -61,17 +61,26 @@ public class SecurityConfig {
     @Bean
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration config = new CorsConfiguration();
-        config.setAllowedOriginPatterns(Arrays.asList(
-            "http://localhost:4200", 
-            "http://127.0.0.1:4200", 
-            "https://dev.vincent-guillet.fr",
-            "https://projets.vincent-guillet.fr"
-            ));
-        config.setAllowedMethods(Arrays.asList("GET","POST","PUT","DELETE","OPTIONS"));
-        config.setAllowedHeaders(Arrays.asList("Authorization","Content-Type","Accept"));
-        config.setExposedHeaders(Arrays.asList("Authorization"));
+
+        // IMPORTANT : origins explicites, sans path
+        config.setAllowedOrigins(Arrays.asList(
+                "http://localhost:4200",
+                "http://127.0.0.1:4200",
+                "https://dev.vincent-guillet.fr",
+                "https://projets.vincent-guillet.fr"
+        ));
+
         config.setAllowCredentials(true);
 
+        // Autoriser tous les headers côté requête (plus robuste)
+        config.setAllowedHeaders(Arrays.asList("*"));
+
+        // Autoriser les méthodes classiques
+        config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
+
+        // Headers que le client *voit* dans la réponse
+        config.setExposedHeaders(Arrays.asList("Authorization", "Content-Type"));
+
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", config);
         return source;