diff --git a/app/controllers/api/v0/base_controller.rb b/app/controllers/api/v0/base_controller.rb
index edcd178edb0f81ae7660f4226ac017ed0f5cd465..39d331215e1bed3cf3e43224235dc3e532adc994 100644
--- a/app/controllers/api/v0/base_controller.rb
+++ b/app/controllers/api/v0/base_controller.rb
@@ -3,6 +3,8 @@ module Api
     class BaseController < ApplicationController
       include Api::OpenidConnect::ProtectedResourceEndpoint
 
+      protected
+
       def current_user
         current_token ? current_token.authorization.user : nil
       end
diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index 68e071e7c37ecf2c1252dc3cca117e4c8d2227b0..e2afeff3ea11188140663d617ffcc08e684c46b6 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -1,7 +1,11 @@
 Rails.application.config.middleware.insert 0, Rack::Cors do
   allow do
-    origins '*'
-    resource '/.well-known/host-meta'
-    resource '/webfinger'
+    origins "*"
+    resource "/.well-known/host-meta"
+    resource "/webfinger"
+    resource "/.well-known/webfinger"
+    resource "/.well-known/openid-configuration"
+    resource "/api/openid_connect/user_info", methods: :get
+    resource "/api/v0/*", methods: %i(get post delete)
   end
 end