Support CORS+Basic auth together

2020-10-03 23:06:48 -07:00
parent 922dfec77a
commit bb9c788306
2 changed files with 14 additions and 4 deletions
--- a/router/middleware/auth.go
+++ b/router/middleware/auth.go
@@ -13,11 +13,24 @@ import (
 func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
 	username := "admin"
 	password := config.Config.VideoSettings.StreamingKey
+	realm := "Owncast Authenticated Request"

 	return func(w http.ResponseWriter, r *http.Request) {
+		// The following line is kind of a work around.
+		// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
+		// Access-Control-Allow-Origin header.  So we just pull out the origin header and specify it.
+		// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
+		w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+		w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
+
+		// For request needing CORS, send a 200.
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusOK)
+			return
+		}

 		user, pass, ok := r.BasicAuth()
-		realm := "Owncast Authenticated Request"

 		// Failed
 		if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {