Feature/sign in issue

[DominikLudwiczak]

Problem

When signing in on the dev mode with NOT_SECURED flag set to TRUE the CORS error occurs and no action is done.

This PR fixes issue #1053

Solution

Change CORS settings by allowing new headers when the flag NOT_SECURED is set to TRUE. Also added prima packages ti the onlyBuiltDependencies in package.json because it was required during setting the dev mode up

Checklist:

Put a "X" in the boxes below to indicate you have followed the checklist;

• I have read the CONTRIBUTING guide.
• I checked that there were not similar issues or PRs already open for this.
• This PR fixes just ONE issue (do not include multiple issues or types of change in the same PR) For example, don't try and fix a UI issue and include new dependencies in the same PR.

[vercel]

@DominikLudwiczak is attempting to deploy a commit to the Listinai Team on Vercel.

A member of the Team first needs to authorize it.

[sentry]

Bug: Backend CORS unconditionally requires credentials, but frontend does not send them in dev mode (NOT_SECURED=true), causing CORS errors.
_{Severity: CRITICAL | Confidence: High}

🔍 Detailed Analysis

The PR's change to CORS configuration unconditionally sets credentials: true on the backend. However, in development mode (process.env.NOT_SECURED=true), the frontend explicitly does not send credentials: 'include' in its fetch requests. This mismatch causes browsers to block responses with CORS errors, preventing authentication from working in dev mode. This contradicts the PR's goal of fixing sign-in issues in development.

💡 Suggested Fix

Revert the CORS configuration change to preserve conditional logic: ...(process.env.NOT_SECURED ? {} : { credentials: true }) instead of unconditionally setting credentials: true.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: apps/backend/src/main.ts#L23

Potential issue: The PR's change to CORS configuration unconditionally sets
`credentials: true` on the backend. However, in development mode
(`process.env.NOT_SECURED=true`), the frontend explicitly does *not* send `credentials:
'include'` in its fetch requests. This mismatch causes browsers to block responses with
CORS errors, preventing authentication from working in dev mode. This contradicts the
PR's goal of fixing sign-in issues in development.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 196827}

[DominikLudwiczak]

it worked for me when I set NOT_SECURED to TRUE. If you want I can change it back, because most important change here is with headers