fixed cors bug, separating rental confirmation for owner and renter, removing condition checks from my-listings

backend/server.js

@@ -73,10 +73,7 @@ app.use(morgan("combined", { stream: logger.stream }));
 // API request/response logging
 app.use("/api/", apiLogger);
 
-// General rate limiting for all routes
-app.use("/api/", generalLimiter);
-
-// CORS with security settings
+// CORS with security settings (must come BEFORE rate limiter to ensure headers on all responses)
 app.use(
   cors({
     origin: process.env.FRONTEND_URL || "http://localhost:3000",
@@ -85,6 +82,9 @@ app.use(
   })
 );
 
+// General rate limiting for all routes
+app.use("/api/", generalLimiter);
+
 // Body parsing with size limits
 app.use(
   bodyParser.json({