API: Return blank 200 response for OPTIONS requests (CORS)

2025-02-07 13:31:56 +02:00 · 2023-05-09 17:11:57 +12:00 · 2023-05-09 17:11:57 +12:00 · 9670c4e1d5
commit 9670c4e1d5
parent 1e97e9e21f
2 changed files with 12 additions and 2 deletions
--- a/server/apiv1/api.go
+++ b/server/apiv1/api.go
@ -657,3 +657,10 @@ func getStartLimit(req *http.Request) (start int, limit int) {

 	return start, limit
 }
+
+// GetOptions returns a blank response
+func GetOptions(w http.ResponseWriter, r *http.Request) {
+
+	w.Header().Set("Content-Type", "text/plain")
+	_, _ = w.Write([]byte(""))
+}
--- a/server/server.go
+++ b/server/server.go
@ -94,6 +94,9 @@ func defaultRoutes() *mux.Router {
 	r.HandleFunc(config.Webroot+"api/v1/info", middleWareFunc(apiv1.AppInfo)).Methods("GET")
 	r.HandleFunc(config.Webroot+"api/v1/webui", middleWareFunc(apiv1.WebUIConfig)).Methods("GET")

+	// return blank 200 response for OPTIONS requests for CORS
+	r.PathPrefix(config.Webroot + "api/v1/").Handler(middleWareFunc(apiv1.GetOptions)).Methods("OPTIONS")
+
 	return r
 }

@ -122,7 +125,7 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {

 		if AccessControlAllowOrigin != "" && strings.HasPrefix(r.RequestURI, config.Webroot+"api/") {
 			w.Header().Set("Access-Control-Allow-Origin", AccessControlAllowOrigin)
-			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT")
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS")
 			w.Header().Set("Access-Control-Allow-Headers", "*")
 		}

@ -161,7 +164,7 @@ func middlewareHandler(h http.Handler) http.Handler {

 		if AccessControlAllowOrigin != "" && strings.HasPrefix(r.RequestURI, config.Webroot+"api/") {
 			w.Header().Set("Access-Control-Allow-Origin", AccessControlAllowOrigin)
-			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT")
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS")
 			w.Header().Set("Access-Control-Allow-Headers", "*")
 		}