diff --git a/app/controllers/api/v0/base_controller.rb b/app/controllers/api/v0/base_controller.rb
index edcd178ed..39d331215 100644
--- a/app/controllers/api/v0/base_controller.rb
+++ b/app/controllers/api/v0/base_controller.rb
@@ -3,6 +3,8 @@ module Api
     class BaseController < ApplicationController
       include Api::OpenidConnect::ProtectedResourceEndpoint
 
+      protected
+
       def current_user
         current_token ? current_token.authorization.user : nil
       end
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index 68e071e7c..e2afeff3e 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -1,7 +1,11 @@
 Rails.application.config.middleware.insert 0, Rack::Cors do
   allow do
-    origins '*'
-    resource '/.well-known/host-meta'
-    resource '/webfinger'
+    origins "*"
+    resource "/.well-known/host-meta"
+    resource "/webfinger"
+    resource "/.well-known/webfinger"
+    resource "/.well-known/openid-configuration"
+    resource "/api/openid_connect/user_info", methods: :get
+    resource "/api/v0/*", methods: %i(get post delete)
   end
 end