Add single-file HTML/JS client

api/api.go

@@ -32,17 +32,35 @@ func New(store *db.Store, password string, notify Notifier) *Server {
 }
 
 func (s *Server) Handler() http.Handler {
-	if s.password == "" {
+	var handler http.Handler = s.mux
-		return s.mux
+
+	// Wrap with auth middleware if password is set
+	if s.password != "" {
+		authHandler := handler
+		handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			auth := r.Header.Get("Authorization")
+			if !strings.HasPrefix(auth, "Bearer ") || auth[7:] != s.password {
+				writeError(w, http.StatusUnauthorized, "invalid or missing authorization")
+				return
+			}
+			authHandler.ServeHTTP(w, r)
+		})
 	}
-	// Wrap with auth middleware
+
+	// Wrap with CORS middleware (allow all origins)
+	corsHandler := handler
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		auth := r.Header.Get("Authorization")
+		w.Header().Set("Access-Control-Allow-Origin", "*")
-		if !strings.HasPrefix(auth, "Bearer ") || auth[7:] != s.password {
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
-			writeError(w, http.StatusUnauthorized, "invalid or missing authorization")
+		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+
+		// Handle preflight requests
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusNoContent)
 			return
 		}
-		s.mux.ServeHTTP(w, r)
+
+		corsHandler.ServeHTTP(w, r)
 	})
 }