Allow sending info.json XHR with Authorization header (#574)

Web browser clients implementing IIIF Authentication API 1.0 may send
info.json requests with an Authorization header via XMLHttpRequest
(XHR). Such requests are "pre-flighted", and the pre-flight response
must explicitly state that the Authorization header is allowed in order
for the browser to proceed with the request.

src/main/java/edu/illinois/library/cantaloupe/resource/AbstractResource.java

@@ -198,7 +198,10 @@ public void doHEAD() throws Exception {
         doGET();
     }
 
-    final void doOPTIONS() {
+    /**
+     * May be overridden by implementations that support {@literal OPTIONS}.
+     */
+    protected void doOPTIONS() {
         Method[] methods = getSupportedMethods();
         if (methods.length > 0) {
             response.setStatus(Status.NO_CONTENT.getCode());

src/main/java/edu/illinois/library/cantaloupe/resource/iiif/v1/InformationResource.java

@@ -1,10 +1,12 @@
 package edu.illinois.library.cantaloupe.resource.iiif.v1;
 
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import edu.illinois.library.cantaloupe.http.Method;
 import edu.illinois.library.cantaloupe.http.Status;
@@ -18,6 +20,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.servlet.http.HttpServletResponse;
+
 /**
  * Handles IIIF Image API 1.x information requests.
  *
@@ -42,6 +46,21 @@ public Method[] getSupportedMethods() {
         return SUPPORTED_METHODS;
     }
 
+    @Override
+    protected final void doOPTIONS() {
+        HttpServletResponse response = getResponse();
+        Method[] methods = getSupportedMethods();
+        if (methods.length > 0) {
+            response.setStatus(Status.NO_CONTENT.getCode());
+            response.setHeader("Access-Control-Allow-Headers", "Authorization");
+            response.setHeader("Allow", Arrays.stream(methods)
+                    .map(Method::toString)
+                    .collect(Collectors.joining(",")));
+        } else {
+            response.setStatus(Status.METHOD_NOT_ALLOWED.getCode());
+        }
+    }
+
     /**
      * Writes a JSON-serialized {@link Information} instance to the response.
      */

src/main/java/edu/illinois/library/cantaloupe/resource/iiif/v2/InformationResource.java

@@ -1,10 +1,12 @@
 package edu.illinois.library.cantaloupe.resource.iiif.v2;
 
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import edu.illinois.library.cantaloupe.http.Method;
 import edu.illinois.library.cantaloupe.http.Status;
@@ -20,6 +22,7 @@
 import org.slf4j.LoggerFactory;
 
 import javax.script.ScriptException;
+import javax.servlet.http.HttpServletResponse;
 
 /**
  * Handles information requests.
@@ -45,6 +48,21 @@ public Method[] getSupportedMethods() {
         return SUPPORTED_METHODS;
     }
 
+    @Override
+    protected final void doOPTIONS() {
+        HttpServletResponse response = getResponse();
+        Method[] methods = getSupportedMethods();
+        if (methods.length > 0) {
+            response.setStatus(Status.NO_CONTENT.getCode());
+            response.setHeader("Access-Control-Allow-Headers", "Authorization");
+            response.setHeader("Allow", Arrays.stream(methods)
+                    .map(Method::toString)
+                    .collect(Collectors.joining(",")));
+        } else {
+            response.setStatus(Status.METHOD_NOT_ALLOWED.getCode());
+        }
+    }
+
     /**
      * Writes a JSON-serialized {@link Information} instance to the response.
      */

src/main/java/edu/illinois/library/cantaloupe/resource/iiif/v3/InformationResource.java

@@ -1,10 +1,12 @@
 package edu.illinois.library.cantaloupe.resource.iiif.v3;
 
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import edu.illinois.library.cantaloupe.http.Method;
 import edu.illinois.library.cantaloupe.http.Status;
@@ -20,6 +22,7 @@
 import org.slf4j.LoggerFactory;
 
 import javax.script.ScriptException;
+import javax.servlet.http.HttpServletResponse;
 
 /**
  * Handles IIIF Image API 3.x information requests.
@@ -45,6 +48,21 @@ public Method[] getSupportedMethods() {
         return SUPPORTED_METHODS;
     }
 
+    @Override
+    protected final void doOPTIONS() {
+        HttpServletResponse response = getResponse();
+        Method[] methods = getSupportedMethods();
+        if (methods.length > 0) {
+            response.setStatus(Status.NO_CONTENT.getCode());
+            response.setHeader("Access-Control-Allow-Headers", "Authorization");
+            response.setHeader("Allow", Arrays.stream(methods)
+                    .map(Method::toString)
+                    .collect(Collectors.joining(",")));
+        } else {
+            response.setStatus(Status.METHOD_NOT_ALLOWED.getCode());
+        }
+    }
+
     /**
      * Writes a JSON-serialized {@link Information} instance to the response.
      */

src/test/java/edu/illinois/library/cantaloupe/resource/iiif/v1/InformationResourceTest.java

@@ -603,6 +603,11 @@ void testOPTIONSWhenEnabled() throws Exception {
         assertEquals(2, methods.size());
         assertTrue(methods.contains("GET"));
         assertTrue(methods.contains("OPTIONS"));
+
+        List<String> allowedHeaders =
+                List.of(StringUtils.split(headers.getFirstValue("Access-Control-Allow-Headers"), ", "));
+        assertEquals(1, allowedHeaders.size());
+        assertTrue(allowedHeaders.contains("Authorization"));
     }
 
     @Test

src/test/java/edu/illinois/library/cantaloupe/resource/iiif/v2/InformationResourceTest.java

@@ -623,6 +623,11 @@ void testOPTIONSWhenEnabled() throws Exception {
         assertEquals(2, methods.size());
         assertTrue(methods.contains("GET"));
         assertTrue(methods.contains("OPTIONS"));
+
+        List<String> allowedHeaders =
+                List.of(StringUtils.split(headers.getFirstValue("Access-Control-Allow-Headers"), ", "));
+        assertEquals(1, allowedHeaders.size());
+        assertTrue(allowedHeaders.contains("Authorization"));
     }
 
     @Test

src/test/java/edu/illinois/library/cantaloupe/resource/iiif/v3/InformationResourceTest.java

@@ -600,6 +600,11 @@ void testOPTIONSWhenEnabled() throws Exception {
         assertEquals(2, methods.size());
         assertTrue(methods.contains("GET"));
         assertTrue(methods.contains("OPTIONS"));
+
+        List<String> allowedHeaders =
+                List.of(StringUtils.split(headers.getFirstValue("Access-Control-Allow-Headers"), ", "));
+        assertEquals(1, allowedHeaders.size());
+        assertTrue(allowedHeaders.contains("Authorization"));
     }
 
     @Test