fix: allow csrf header through cors

server/internal/service/service.go

@@ -56,8 +56,8 @@ func Run(conn *pgx.Conn, q *data.Queries, config SvcConfig) error {
 	r.Use(cors.Handler(cors.Options{
 		AllowedOrigins:   config.allowedOrigins(),
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-Csrf-Token"},
-		ExposedHeaders:   []string{"List"},
+		ExposedHeaders:   []string{"List", "X-Csrf-Token"},
 		AllowCredentials: true,
 		MaxAge:           300,
 	}))