Ensure cors headers are also returned for other requests

app/controllers/api/v1/registrant/auth_controller.rb

@@ -5,6 +5,7 @@ module Api
   module V1
     module Registrant
       class AuthController < ActionController::API
+        before_action :set_cors_header
         before_action :check_ip_whitelist
 
         rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
@@ -27,6 +28,10 @@ module Api
 
         private
 
+        def set_cors_header
+          response.headers['Access-Control-Allow-Origin'] = '*'
+        end
+
         def eid_params
           required_params = %i[ident first_name last_name]
           required_params.each_with_object(params) do |key, obj|

app/controllers/api/v1/registrant/base_controller.rb

@@ -5,6 +5,7 @@ module Api
   module V1
     module Registrant
       class BaseController < ActionController::API
+        before_action :set_cors_header
         before_action :authenticate
         before_action :set_paper_trail_whodunnit
 
@@ -17,6 +18,10 @@ module Api
 
         private
 
+        def set_cors_header
+          response.headers['Access-Control-Allow-Origin'] = '*'
+        end
+
         def bearer_token
           pattern = /^Bearer /
           header  = request.headers['Authorization']

test/integration/api/registrant/registrant_api_cors_headers_test.rb

@@ -24,4 +24,12 @@ class RegistrantApiCorsHeadersTest < ApplicationIntegrationTest
 
     assert_equal('', response.body)
   end
+
+  def test_it_returns_cors_headers_for_other_requests
+    post '/api/v1/registrant/auth/eid', {}
+    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+
+    get '/api/v1/registrant/contacts', {}
+    assert_equal('*', response.headers['Access-Control-Allow-Origin'])
+  end
 end