fix: format code for better readability and add CORS handling for OPTIONS requests

server/middleware.py

@@ -44,7 +44,8 @@ def register_request_hooks(app: Flask) -> None:
     @app.after_request
     def add_request_id_header(response):  # type: ignore[unused-ignore]
         try:
-            rid = getattr(request, "request_id", None) or request.environ.get("HTTP_X_REQUEST_ID")
+            rid = getattr(request, "request_id", None) or request.environ.get(
+                "HTTP_X_REQUEST_ID")
             if rid:
                 response.headers["X-Request-Id"] = rid
 
@@ -62,7 +63,27 @@ def register_request_hooks(app: Flask) -> None:
                     pass
 
             start_time = getattr(g, "_start_time", None)
-            observe_request(request.method, request.path, start_time, response.status_code)
+            observe_request(request.method, request.path,
+                            start_time, response.status_code)
         except Exception:
             pass
         return response
+
+    @app.after_request
+    def add_cors_headers(response):  # type: ignore[unused-ignore]
+        # Add CORS headers for embedded forms
+        if request.path.startswith("/api/"):
+            response.headers["Access-Control-Allow-Origin"] = "*"
+            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
+
+        return response
+
+    @app.before_request
+    def handle_options():  # type: ignore[unused-ignore]
+        if request.method == "OPTIONS":
+            response = app.response_class()
+            response.headers["Access-Control-Allow-Origin"] = "*"
+            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
+            response.headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization"
+            return response