Support CORS+Basic auth together

controllers/admin/inboundBroadcasterDetails.go

@@ -7,13 +7,10 @@ import (
 	"github.com/gabek/owncast/controllers"
 	"github.com/gabek/owncast/core"
 	"github.com/gabek/owncast/models"
-	"github.com/gabek/owncast/router/middleware"
 )
 
 // GetInboundBroadasterDetails gets the details of the inbound broadcaster
 func GetInboundBroadasterDetails(w http.ResponseWriter, r *http.Request) {
-	middleware.EnableCors(&w)
-
 	broadcaster := core.GetBroadcaster()
 	if broadcaster == nil {
 		controllers.WriteSimpleResponse(w, false, "no broadcaster connected")

router/middleware/auth.go

@@ -13,11 +13,24 @@ import (
 func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
 	username := "admin"
 	password := config.Config.VideoSettings.StreamingKey
+	realm := "Owncast Authenticated Request"
 
 	return func(w http.ResponseWriter, r *http.Request) {
+		// The following line is kind of a work around.
+		// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
+		// Access-Control-Allow-Origin header.  So we just pull out the origin header and specify it.
+		// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
+		w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+		w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
+
+		// For request needing CORS, send a 200.
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}
 
 		user, pass, ok := r.BasicAuth()
-		realm := "Owncast Authenticated Request"
 
 		// Failed
 		if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {