From 85acfa0eb60e4b2bc96f974f97ead2f539e546c0 Mon Sep 17 00:00:00 2001 From: Petu Eusebiu Date: Mon, 30 Oct 2023 17:27:05 +0200 Subject: [PATCH] fix(routes): fix cors headers for api keys and logout route Signed-off-by: Petu Eusebiu --- pkg/api/routes.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/pkg/api/routes.go b/pkg/api/routes.go index ec93ffdc59..c934e7ae36 100644 --- a/pkg/api/routes.go +++ b/pkg/api/routes.go @@ -91,9 +91,11 @@ func (rh *RouteHandler) SetupRoutes() { apiKeyRouter := rh.c.Router.PathPrefix(constants.APIKeyPath).Subrouter() apiKeyRouter.Use(authHandler) apiKeyRouter.Use(BaseAuthzHandler(rh.c)) + + // Always use CORSHeadersMiddleware before ACHeadersMiddleware + apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin)) apiKeyRouter.Use(zcommon.ACHeadersMiddleware(rh.c.Config, http.MethodGet, http.MethodPost, http.MethodDelete, http.MethodOptions)) - apiKeyRouter.Use(zcommon.CORSHeadersMiddleware(rh.c.Config.HTTP.AllowOrigin)) apiKeyRouter.Methods(http.MethodPost, http.MethodOptions).HandlerFunc(rh.CreateAPIKey) apiKeyRouter.Methods(http.MethodGet).HandlerFunc(rh.GetAPIKeys) @@ -2037,6 +2039,10 @@ type APIKeyPayload struct { //nolint:revive // @Failure 500 {string} string "internal server error" // @Router /zot/auth/apikey [get]. func (rh *RouteHandler) GetAPIKeys(resp http.ResponseWriter, req *http.Request) { + if req.Method == http.MethodOptions { + return + } + apiKeys, err := rh.c.MetaDB.GetUserAPIKeys(req.Context()) if err != nil { rh.c.Log.Error().Err(err).Msg("error getting list of API keys for user") @@ -2079,6 +2085,10 @@ func (rh *RouteHandler) GetAPIKeys(resp http.ResponseWriter, req *http.Request) // @Failure 500 {string} string "internal server error" // @Router /zot/auth/apikey [post]. func (rh *RouteHandler) CreateAPIKey(resp http.ResponseWriter, req *http.Request) { + if req.Method == http.MethodOptions { + return + } + var payload APIKeyPayload body, err := io.ReadAll(req.Body) @@ -2181,6 +2191,10 @@ func (rh *RouteHandler) CreateAPIKey(resp http.ResponseWriter, req *http.Request // @Failure 400 {string} string "bad request" // @Router /zot/auth/apikey [delete]. func (rh *RouteHandler) RevokeAPIKey(resp http.ResponseWriter, req *http.Request) { + if req.Method == http.MethodOptions { + return + } + ids, ok := req.URL.Query()["id"] if !ok || len(ids) != 1 { resp.WriteHeader(http.StatusBadRequest)