diff --git a/lib/http/middleware.go b/lib/http/middleware.go index 07aef96ac..e7e4582b3 100644 --- a/lib/http/middleware.go +++ b/lib/http/middleware.go @@ -62,6 +62,11 @@ func basicAuth(authenticator *LoggedBasicAuth) func(next http.Handler) http.Hand next.ServeHTTP(w, r) return } + // skip auth for CORS preflight + if r.Method == "OPTIONS" { + next.ServeHTTP(w, r) + return + } username := authenticator.CheckAuth(r) if username == "" { @@ -123,6 +128,11 @@ func MiddlewareAuthCustom(fn CustomAuthFn, realm string, userFromContext bool) M next.ServeHTTP(w, r) return } + // skip auth for CORS preflight + if r.Method == "OPTIONS" { + next.ServeHTTP(w, r) + return + } user, pass, ok := parseAuthorization(r) if !ok && userFromContext { @@ -177,13 +187,6 @@ func MiddlewareCORS(allowOrigin string) Middleware { w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type") } - if r.Method == "OPTIONS" { - w.WriteHeader(http.StatusOK) - return - // Because CORS preflight OPTIONS requests are not authenticated, - // and require a 200 OK response, we will return early here. - } - next.ServeHTTP(w, r) }) } diff --git a/lib/http/middleware_test.go b/lib/http/middleware_test.go index 759528d3b..283848f94 100644 --- a/lib/http/middleware_test.go +++ b/lib/http/middleware_test.go @@ -459,8 +459,7 @@ func TestMiddlewareCORSWithAuth(t *testing.T) { require.NoError(t, s.Shutdown()) }() - expected := []byte("data") - s.Router().Mount("/", testEchoHandler(expected)) + s.Router().Mount("/", testEmptyHandler()) s.Serve() url := testGetServerURL(t, s) diff --git a/lib/http/server_test.go b/lib/http/server_test.go index 656c7702f..0c636d274 100644 --- a/lib/http/server_test.go +++ b/lib/http/server_test.go @@ -14,6 +14,10 @@ import ( "github.com/stretchr/testify/require" ) +func testEmptyHandler() http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}) +} + func testEchoHandler(data []byte) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { _, _ = w.Write(data)