From bba410af324f997f7440ec8e4b5c40ce3ec9391c Mon Sep 17 00:00:00 2001
From: Hector Sanjuan <code@hector.link>
Date: Wed, 22 Dec 2021 13:25:23 +0100
Subject: [PATCH] API: OPTIONS requests should bypass authentication

They need to be handled directly by the CORS handler.

Fixes #1512
---
 api/common/api.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/api/common/api.go b/api/common/api.go
index 234fc8fc..04f8d577 100644
--- a/api/common/api.go
+++ b/api/common/api.go
@@ -128,9 +128,11 @@ func NewAPIWithHost(ctx context.Context, cfg *Config, h host.Host, routes func(*
 	// - the cors handler,
 	// - the basic auth handler.
 	//
-	// Thus every request will need to have valid credentials first, then
-	// comply with CORS, then it may be redirected if the path ends with a
-	// "/" and finally it hits one of our routes and handlers.
+	// Requests will need to have valid credentials first, except
+	// cors-preflight requests (OPTIONS). Then requests are handled by
+	// CORS and potentially need to comply with it. Then they may be
+	// redirected if the path ends with a "/". Finally they hit one of our
+	// routes and handlers.
 	router := mux.NewRouter()
 	handler := basicAuthHandler(
 		cfg.BasicAuthCredentials,
@@ -285,6 +287,13 @@ func basicAuthHandler(credentials map[string]string, h http.Handler, lggr *loggi
 	}
 
 	wrap := func(w http.ResponseWriter, r *http.Request) {
+		// We let CORS preflight requests pass through the next
+		// handler.
+		if r.Method == http.MethodOptions {
+			h.ServeHTTP(w, r)
+			return
+		}
+
 		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 		username, password, ok := r.BasicAuth()
 		if !ok {