From 0044e804912099a6478b747230cdc37b2c8a3047 Mon Sep 17 00:00:00 2001 From: zeripath Date: Thu, 4 Mar 2021 01:25:30 +0000 Subject: [PATCH] Add CORS config on to /login/oauth/access_token endpoint (#14850) Fix #7204 Signed-off-by: Andrew Thornton Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH --- routers/routes/web.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/routers/routes/web.go b/routers/routes/web.go index 0130009059..22774b2cdc 100644 --- a/routers/routes/web.go +++ b/routers/routes/web.go @@ -47,6 +47,7 @@ import ( "gitea.com/go-chi/session" "github.com/NYTimes/gziphandler" "github.com/go-chi/chi/middleware" + "github.com/go-chi/cors" "github.com/prometheus/client_golang/prometheus" "github.com/tstranex/u2f" "github.com/unknwon/com" @@ -389,7 +390,18 @@ func RegisterRoutes(m *web.Route) { // TODO manage redirection m.Post("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth) }, ignSignInAndCsrf, reqSignIn) - m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + if setting.CORSConfig.Enabled { + m.Post("/login/oauth/access_token", cors.Handler(cors.Options{ + //Scheme: setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option + AllowedOrigins: setting.CORSConfig.AllowDomain, + //setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option + AllowedMethods: setting.CORSConfig.Methods, + AllowCredentials: setting.CORSConfig.AllowCredentials, + MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), + }), bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + } else { + m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + } m.Group("/user/settings", func() { m.Get("", userSetting.Profile)