From c5b3edf87d4c32f16a3bd47d450f691f58ab1d4c Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Fri, 30 May 2025 00:00:05 +1200
Subject: [PATCH] Fix: Ignore basic auth for OPTIONS requests to API when CORS
 is set

Web browsers do not send authorization headers for  preflight requests.
---
 server/server.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/server.go b/server/server.go
index eb2a3cd..a38ae00 100644
--- a/server/server.go
+++ b/server/server.go
@@ -239,7 +239,9 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
 			w.Header().Set("Access-Control-Allow-Headers", "*")
 		}
 
-		if auth.UICredentials != nil {
+		// Check basic authentication headers if configured.
+		// OPTIONS requests are skipped if CORS is enabled, since browsers omit credentials for preflight.
+		if !(AccessControlAllowOrigin != "" && r.Method == http.MethodOptions) && auth.UICredentials != nil {
 			user, pass, ok := r.BasicAuth()
 
 			if !ok {