Swap the corsMiddleware and the csrfMiddleware to the unauthenticated OPTIONS requests are first processed.

This commit is contained in:
Laurent Etiemble 2016-02-12 22:10:08 +01:00
parent 4fa4668ed6
commit d8e19b776e

View File

@ -236,12 +236,12 @@ func (s *apiService) Serve() {
guiCfg := s.cfg.GUI() guiCfg := s.cfg.GUI()
// Add the CORS handling
handler := corsMiddleware(mux)
// Wrap everything in CSRF protection. The /rest prefix should be // Wrap everything in CSRF protection. The /rest prefix should be
// protected, other requests will grant cookies. // protected, other requests will grant cookies.
handler := csrfMiddleware(s.id.String()[:5], "/rest", guiCfg, mux) handler = csrfMiddleware(s.id.String()[:5], "/rest", guiCfg, handler)
// Add the CORS handling
handler = corsMiddleware(handler)
// Add our version and ID as a header to responses // Add our version and ID as a header to responses
handler = withDetailsMiddleware(s.id, handler) handler = withDetailsMiddleware(s.id, handler)
@ -382,6 +382,10 @@ func corsMiddleware(next http.Handler) http.Handler {
// Handle CORS headers and CORS OPTIONS request. // Handle CORS headers and CORS OPTIONS request.
// CORS OPTIONS request are typically sent by browser during AJAX preflight // CORS OPTIONS request are typically sent by browser during AJAX preflight
// when the browser initiate a POST request. // when the browser initiate a POST request.
//
// As the OPTIONS request is unauthorized, this handler must be the first
// of the chain.
//
// See https://www.w3.org/TR/cors/ for details. // See https://www.w3.org/TR/cors/ for details.
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Add a generous access-control-allow-origin header since we may be // Add a generous access-control-allow-origin header since we may be