fix(api): run cors logic before auth

crates/api/src/main.rs

@@ -136,12 +136,12 @@ fn router(ctx: ApiContext) -> Router {
         .layer(middleware::ratelimit::ratelimiter(middleware::ratelimit::do_request_ratelimited)) // this sucks
 
         .layer(axum::middleware::from_fn(middleware::ignore_invalid_routes::ignore_invalid_routes))
-        .layer(axum::middleware::from_fn(middleware::cors::cors))
         .layer(axum::middleware::from_fn(middleware::logger::logger))
 
         .layer(axum::middleware::from_fn_with_state(ctx.clone(), middleware::params::params))
         .layer(axum::middleware::from_fn_with_state(ctx.clone(), middleware::auth::auth))
 
+        .layer(axum::middleware::from_fn(middleware::cors::cors))
         .layer(tower_http::catch_panic::CatchPanicLayer::custom(util::handle_panic))
 
         .with_state(ctx)