[INT-CORS-002] Add preflight request handling validation

VEZA_INTEGRATION_PERFECTION_TODOLIST_TEMPLATE.json

@@ -146,7 +146,7 @@
       "description": "Vérifier que les requêtes OPTIONS (preflight) sont correctement gérées pour tous les endpoints.",
       "priority": "P0",
       "priority_rank": 2,
-      "status": "todo",
+      "status": "completed",
       "estimated_hours": 2,
       "side": "backend_only",
       "files_to_modify": [
@@ -1085,13 +1085,13 @@
   },
   "progress_tracking": {
     "total_tasks": 32,
-    "completed": 1,
+    "completed": 2,
     "in_progress": 0,
-    "todo": 31,
+    "todo": 30,
     "blocked": 0,
-    "completion_percentage": 3,
+    "completion_percentage": 6,
     "last_updated": "2025-01-27T12:00:00Z",
     "estimated_completion_date": null,
-    "estimated_hours_remaining": 47
+    "estimated_hours_remaining": 45
   }
 }

veza-backend-api/internal/middleware/cors.go

@@ -99,9 +99,10 @@ func CORS(allowedOrigins []string) gin.HandlerFunc {
 			c.Header("Access-Control-Allow-Origin", origin)
 		}
 
-		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
-		c.Header("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With")
+		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
+		c.Header("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With, X-CSRF-Token")
 		c.Header("Access-Control-Allow-Credentials", "true")
+		c.Header("Access-Control-Expose-Headers", "X-CSRF-Token, X-Request-ID, Content-Range")
 		c.Header("Access-Control-Max-Age", "86400") // Cache preflight pour 24h
 
 		if c.Request.Method == "OPTIONS" {