fix preflight requests

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
2026-01-04 11:19:39 -06:00 · 2023-05-19 16:10:36 +02:00
parent 4080b85033
commit 0edb2b9c5b
9 changed files with 68 additions and 6 deletions
--- a/services/graph/pkg/config/defaults/defaultconfig.go
+++ b/services/graph/pkg/config/defaults/defaultconfig.go
@@ -33,7 +33,7 @@ func DefaultConfig() *config.Config {
 			CORS: config.CORS{
 				AllowedOrigins:   []string{"*"},
 				AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "Purge", "Restore"},
+				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id", "Purge", "Restore"},
 				AllowCredentials: true,
 			},
 		},
--- a/services/ocs/pkg/config/defaults/defaultconfig.go
+++ b/services/ocs/pkg/config/defaults/defaultconfig.go
@@ -31,7 +31,7 @@ func DefaultConfig() *config.Config {
 			CORS: config.CORS{
 				AllowedOrigins:   []string{"*"},
 				AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"},
+				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id"},
 				AllowCredentials: true,
 			},
 		},
--- a/services/proxy/pkg/middleware/authentication.go
+++ b/services/proxy/pkg/middleware/authentication.go
@@ -52,7 +52,7 @@ func Authentication(auths []Authenticator, opts ...Option) func(next http.Handle
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ri := router.ContextRoutingInfo(r.Context())
-			if isOIDCTokenAuth(r) || ri.IsRouteUnprotected() {
+			if isOIDCTokenAuth(r) || ri.IsRouteUnprotected() || r.Method == "OPTIONS" {
 				// Either this is a request that does not need any authentication or
 				// the authentication for this request is handled by the IdP.
 				next.ServeHTTP(w, r)
--- a/services/settings/pkg/config/defaults/defaultconfig.go
+++ b/services/settings/pkg/config/defaults/defaultconfig.go
@@ -41,7 +41,7 @@ func DefaultConfig() *config.Config {
 			CORS: config.CORS{
 				AllowedOrigins:   []string{"*"},
 				AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"},
+				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id"},
 				AllowCredentials: true,
 			},
 		},
--- a/services/userlog/pkg/config/defaults/defaultconfig.go
+++ b/services/userlog/pkg/config/defaults/defaultconfig.go
@@ -48,7 +48,7 @@ func DefaultConfig() *config.Config {
 			CORS: config.CORS{
 				AllowedOrigins:   []string{"*"},
 				AllowedMethods:   []string{"GET"},
-				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"},
+				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id", "Ocs-Apirequest"},
 				AllowCredentials: true,
 			},
 		},
--- a/services/web/pkg/config/defaults/defaultconfig.go
+++ b/services/web/pkg/config/defaults/defaultconfig.go
@@ -30,6 +30,51 @@ func DefaultConfig() *config.Config {
 			Root:      "/",
 			Namespace: "com.owncloud.web",
 			CacheTTL:  604800, // 7 days
+
+			CORS: config.CORS{
+				AllowedOrigins: []string{"*"},
+				AllowedMethods: []string{
+					"OPTIONS",
+					"HEAD",
+					"GET",
+					"PUT",
+					"PATCH",
+					"POST",
+					"DELETE",
+					"MKCOL",
+					"PROPFIND",
+					"PROPPATCH",
+					"MOVE",
+					"COPY",
+					"REPORT",
+					"SEARCH",
+				},
+				AllowedHeaders: []string{
+					"Origin",
+					"Accept",
+					"Content-Type",
+					"Depth",
+					"Authorization",
+					"Ocs-Apirequest",
+					"If-None-Match",
+					"If-Match",
+					"Destination",
+					"Overwrite",
+					"X-Request-Id",
+					"X-Requested-With",
+					"Tus-Resumable",
+					"Tus-Checksum-Algorithm",
+					"Upload-Concat",
+					"Upload-Length",
+					"Upload-Metadata",
+					"Upload-Defer-Length",
+					"Upload-Expires",
+					"Upload-Checksum",
+					"Upload-Offset",
+					"X-HTTP-Method-Override",
+				},
+				AllowCredentials: true,
+			},
 		},
 		Service: config.Service{
 			Name: "web",
--- a/services/web/pkg/config/http.go
+++ b/services/web/pkg/config/http.go
@@ -9,4 +9,13 @@ type HTTP struct {
 	Namespace string                `yaml:"-"`
 	Root      string                `yaml:"root" env:"WEB_HTTP_ROOT" desc:"Subdirectory that serves as the root for this HTTP service."`
 	CacheTTL  int                   `yaml:"cache_ttl" env:"WEB_CACHE_TTL" desc:"Cache policy in seconds for ownCloud Web assets."`
+	CORS      CORS                  `yaml:"cors"`
+}
+
+// CORS defines the available cors configuration.
+type CORS struct {
+	AllowedOrigins   []string `yaml:"allow_origins" env:"OCIS_CORS_ALLOW_ORIGINS;WEB_CORS_ALLOW_ORIGINS" desc:"A comma-separated list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"`
+	AllowedMethods   []string `yaml:"allow_methods" env:"OCIS_CORS_ALLOW_METHODS;WEB_CORS_ALLOW_METHODS" desc:"A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"`
+	AllowedHeaders   []string `yaml:"allow_headers" env:"OCIS_CORS_ALLOW_HEADERS;WEB_CORS_ALLOW_HEADERS" desc:"A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers."`
+	AllowCredentials bool     `yaml:"allow_credentials" env:"OCIS_CORS_ALLOW_CREDENTIALS;WEB_CORS_ALLOW_CREDENTIALS" desc:"Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials."`
 }
--- a/services/web/pkg/server/http/server.go
+++ b/services/web/pkg/server/http/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
+	"github.com/owncloud/ocis/v2/ocis-pkg/cors"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/http"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
@@ -56,6 +57,13 @@ func Server(opts ...Option) (http.Service, error) {
 			middleware.Logger(
 				options.Logger,
 			),
+			middleware.Cors(
+				cors.Logger(options.Logger),
+				cors.AllowedOrigins(options.Config.HTTP.CORS.AllowedOrigins),
+				cors.AllowedMethods(options.Config.HTTP.CORS.AllowedMethods),
+				cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
+				cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
+			),
 		),
 	)

--- a/services/webdav/pkg/config/defaults/defaultconfig.go
+++ b/services/webdav/pkg/config/defaults/defaultconfig.go
@@ -32,7 +32,7 @@ func DefaultConfig() *config.Config {
 			CORS: config.CORS{
 				AllowedOrigins:   []string{"*"},
 				AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
-				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"},
+				AllowedHeaders:   []string{"Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With", "X-Request-Id"},
 				AllowCredentials: true,
 			},
 		},