Skip to content

Commit ceb34d6

Browse files
lpf950929lpf950929
committed
Allow credentialed cross-origin API requests
1 parent 4edfe8e commit ceb34d6

2 files changed

Lines changed: 4 additions & 0 deletions

File tree

pkg/api/server.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,7 @@ func (s *Server) withCORS(next http.Handler) http.Handler {
245245
} else {
246246
w.Header().Set("Access-Control-Allow-Origin", "*")
247247
}
248+
w.Header().Set("Access-Control-Allow-Credentials", "true")
248249
allowMethods := strings.TrimSpace(r.Header.Get("Access-Control-Request-Method"))
249250
if allowMethods == "" {
250251
allowMethods = "GET, POST, PUT, PATCH, DELETE, OPTIONS"

pkg/api/server_test.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,9 @@ func TestWithCORSEchoesPreflightHeaders(t *testing.T) {
193193
if got := rec.Header().Get("Access-Control-Allow-Origin"); got != "https://dash.clawgo.dev" {
194194
t.Fatalf("unexpected allow origin: %q", got)
195195
}
196+
if got := rec.Header().Get("Access-Control-Allow-Credentials"); got != "true" {
197+
t.Fatalf("unexpected allow credentials: %q", got)
198+
}
196199
if got := rec.Header().Get("Access-Control-Allow-Methods"); got != "POST" {
197200
t.Fatalf("unexpected allow methods: %q", got)
198201
}

0 commit comments

Comments
 (0)