From f6c5508224ecb54b370e156f87db853f7772ad04 Mon Sep 17 00:00:00 2001
From: AlexLopezGomez <alex@optimizalo.es>
Date: Sat, 21 Mar 2026 15:27:27 +0100
Subject: [PATCH] fix: set COOP to same-origin-allow-popups to fix Firebase
 signInWithPopup

Helmet's default Cross-Origin-Opener-Policy: same-origin severs window.opener
in the Firebase auth popup (quorum-be4ac.firebaseapp.com/__/auth/handler).
With opener nulled, Firebase's postMessage credential handshake never arrives
and the SDK throws auth/popup-closed-by-user on every OAuth attempt.

same-origin-allow-popups preserves the opener reference for popups we open
while maintaining COOP protection for other contexts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/src/index.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/src/index.js b/backend/src/index.js
index ea216f3..1ee48c5 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -68,6 +68,7 @@ app.use(
 app.use(
   helmet({
     crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
     contentSecurityPolicy: {
       directives: {
         defaultSrc: ["'self'"],