From d1ab72c8c8b0f2f6c322d4f31d7deb6d4b597291 Mon Sep 17 00:00:00 2001 From: Petu Eusebiu Date: Mon, 30 Oct 2023 17:27:05 +0200 Subject: [PATCH] fix(routes): fix cors headers for api keys and logout route Signed-off-by: Petu Eusebiu --- pkg/api/authn_test.go | 2 ++ pkg/api/routes.go | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/api/authn_test.go b/pkg/api/authn_test.go index c332f1dc5..c0ec5151c 100644 --- a/pkg/api/authn_test.go +++ b/pkg/api/authn_test.go @@ -67,6 +67,8 @@ func TestAllowedMethodsHeaderAPIKey(t *testing.T) { resp, _ := resty.R().Options(baseURL + constants.APIKeyPath) So(resp, ShouldNotBeNil) So(resp.Header().Get("Access-Control-Allow-Methods"), ShouldResemble, "GET,POST,DELETE,OPTIONS") + So(resp.Header().Get("Access-Control-Allow-Origin"), ShouldResemble, "*") + So(resp.Header().Get("Access-Control-Allow-Headers"), ShouldResemble, "Authorization,content-type,X-ZOT-API-CLIENT") So(resp.StatusCode(), ShouldEqual, http.StatusNoContent) }) } diff --git a/pkg/api/routes.go b/pkg/api/routes.go index ce9c5696d..82160ef3f 100644 --- a/pkg/api/routes.go +++ b/pkg/api/routes.go @@ -91,9 +91,11 @@ func (rh *RouteHandler) SetupRoutes() { apiKeyRouter := rh.c.Router.PathPrefix(constants.APIKeyPath).Subrouter() apiKeyRouter.Use(authHandler) apiKeyRouter.Use(BaseAuthzHandler(rh.c)) + + // Always use CORSHeadersMiddleware before ACHeadersMiddleware + apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin)) apiKeyRouter.Use(zcommon.ACHeadersMiddleware(rh.c.Config, http.MethodGet, http.MethodPost, http.MethodDelete, http.MethodOptions)) - apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin)) apiKeyRouter.Methods(http.MethodPost, http.MethodOptions).HandlerFunc(rh.CreateAPIKey) apiKeyRouter.Methods(http.MethodGet).HandlerFunc(rh.GetAPIKeys)