fix(routes): fix cors headers for api keys and logout route (project-…

…zot#1984) Signed-off-by: Petu Eusebiu <[email protected]>
mbshields · Nov 7, 2023 · 7f52f58 · 7f52f58
1 parent ff16e4c
commit 7f52f58
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/pkg/api/authn_test.go b/pkg/api/authn_test.go
@@ -67,6 +67,8 @@ func TestAllowedMethodsHeaderAPIKey(t *testing.T) {
 		resp, _ := resty.R().Options(baseURL + constants.APIKeyPath)
 		So(resp, ShouldNotBeNil)
 		So(resp.Header().Get("Access-Control-Allow-Methods"), ShouldResemble, "GET,POST,DELETE,OPTIONS")
+		So(resp.Header().Get("Access-Control-Allow-Origin"), ShouldResemble, "*")
+		So(resp.Header().Get("Access-Control-Allow-Headers"), ShouldResemble, "Authorization,content-type,X-ZOT-API-CLIENT")
 		So(resp.StatusCode(), ShouldEqual, http.StatusNoContent)
 	})
 }

diff --git a/pkg/api/routes.go b/pkg/api/routes.go
@@ -91,9 +91,11 @@ func (rh *RouteHandler) SetupRoutes() {
 		apiKeyRouter := rh.c.Router.PathPrefix(constants.APIKeyPath).Subrouter()
 		apiKeyRouter.Use(authHandler)
 		apiKeyRouter.Use(BaseAuthzHandler(rh.c))
+
+		// Always use CORSHeadersMiddleware before ACHeadersMiddleware
+		apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin))
 		apiKeyRouter.Use(zcommon.ACHeadersMiddleware(rh.c.Config,
 			http.MethodGet, http.MethodPost, http.MethodDelete, http.MethodOptions))
-		apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin))
 
 		apiKeyRouter.Methods(http.MethodPost, http.MethodOptions).HandlerFunc(rh.CreateAPIKey)
 		apiKeyRouter.Methods(http.MethodGet).HandlerFunc(rh.GetAPIKeys)