Reviewer's GET request working, but not POST requests

Hello,

I have submitted my app and the reviewer says he can't login or register.

"- We received an error when we tried to register an account. Please note we were connected to a working wifi network."

After looking in my server logs, i found that a lot of requests worked, but they are only GET requests.

Here is an example of what I saw in the logs:

onyxphysique.com.gzwu5532.odns.fr-ssl_log-Dec-2024.gz:17.65.180.45 - - [03/Dec/2024:12:10:55 +0100] "GET /courses HTTP/1.1" 200 92750 "-" "Mozilla/5.0 (iPad; CPU OS 18_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148"

I am 100% sure that these logs are from the reviewer, since it matches the time of the review screenshots, and the Apple Reviewer's message says that it was tested on an IPad with iOS 18.1.1.

I haven't found any POST request log.

The login and register requests are POST requests. I guess this is where the problem is. It seems like the reviewer is not able to send POST requests to my server.

I’ve tried to reproduce the issue but haven’t been able to.

I made the App using Capacitor, so the requests come from a webview, using nothing else then the official javascript Fetch API.

The backend is using the Symfony php framework.

Php version: v8.1.30 Symfony version: 6.1

Here is the fetch request for the login

fetch('https://www.onyxphysique.com/onyxlogin', {
    method: 'POST',
    body: new FormData(htmlLoginFormElement)
}).catch(error => {

    return toastNotification(0, 'Vous êtes hors connexion') //Message translated: "You are offline". I know it does not necessarily mean we are offline here, but you can see this toaster on the review screenshot.

});

My Symfony route is declared like this

#[Route('/onyxlogin', methods: ['POST'])]

I allowed CORS requests by adding this to my .env

CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'

And by using nelmio_cors

nelmio_cors:
    defaults:
        allow_origin: ['*']
        allow_headers: ['*']
        allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'DELETE']
        max_age: 3600
        allow_credentials: true
    paths:
        '^/':
            allow_origin: ['*']
            allow_headers: ['*']
            allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'DELETE']
            max_age: 3600
            allow_credentials: true

Maybe my methods to allow CORS are not the best.

My server is hosted by o2switch.

Thank you very much for taking the time to read my message. I would really appreciate any advice or suggestions you might have to help resolve this issue.