Browser Blocks API Calls (Broken CORS Preflight)

Problem

A single-page app at https://app.example.com (and http://localhost:3000 in dev)
talks to a JSON API on a different origin. The SPA sends an Authorization header
and cookies (credentialed requests).

After a deploy, the browser console is full of CORS errors and **all authenticated
requests fail before they reach the server**:

• •Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response
• •Preflight OPTIONS requests return 404 instead of a successful empty response.

Simple same-origin and disallowed-origin behavior looks fine; the breakage is
specifically around credentialed cross-origin requests and preflight.

Requirements / Interface

Fix cors.js. Keep the export corsMiddleware(req, res, next) (Express-style).

The middleware must, for allowed origins (https://app.example.com,
http://localhost:3000):

• •Echo the request Origin in Access-Control-Allow-Origin and set Vary: Origin.
• •Set Access-Control-Allow-Credentials: true.
• •Set Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS.
• •Set Access-Control-Allow-Headers to include both Content-Type and Authorization.

For a preflight (req.method === 'OPTIONS'): respond with 204 and end the
response (do NOT call next() / fall through to the app).

Disallowed origins must NOT receive an Access-Control-Allow-Origin header.

Examples

OPTIONS  Origin: https://app.example.com  ->  204, CORS headers, no body
GET      Origin: http://localhost:3000    ->  next(), allow-origin echoed
GET      Origin: https://evil.example.com ->  next(), no allow-origin header

Constraints

• •Standard library / built-ins only; no new dependencies.
• •Header name matching by the grader is case-insensitive.
• •Keep the change focused on CORS handling.

Scoring

bash grader/verify.sh

Accepted when all tests in grader/tests/cors.test.js pass. Leaderboards rank
accepted runs by tokens, estimated cost, and wall-clock time.