fix(routes): fix cors headers for api keys and logout route

Signed-off-by: Petu Eusebiu <[email protected]>
project-zot · Oct 30, 2023 · d229166 · d229166
1 parent f34af3c
commit d229166
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/pkg/api/routes.go b/pkg/api/routes.go
@@ -91,9 +91,11 @@ func (rh *RouteHandler) SetupRoutes() {
 		apiKeyRouter := rh.c.Router.PathPrefix(constants.APIKeyPath).Subrouter()
 		apiKeyRouter.Use(authHandler)
 		apiKeyRouter.Use(BaseAuthzHandler(rh.c))
+
+		// Always use CORSHeadersMiddleware before ACHeadersMiddleware
+		apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin))
 		apiKeyRouter.Use(zcommon.ACHeadersMiddleware(rh.c.Config,
 			http.MethodGet, http.MethodPost, http.MethodDelete, http.MethodOptions))
-		apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin))
 
 		apiKeyRouter.Methods(http.MethodPost, http.MethodOptions).HandlerFunc(rh.CreateAPIKey)
 		apiKeyRouter.Methods(http.MethodGet).HandlerFunc(rh.GetAPIKeys)
@@ -216,6 +218,10 @@ func getUIHeadersHandler(config *config.Config, allowedMethods ...string) func(h
 				response.Header().Set("Access-Control-Allow-Credentials", "true")
 			}
 
+			if request.Method == http.MethodOptions {
+				return
+			}
+
 			next.ServeHTTP(response, request)
 		})
 	}