From 7dc0c6ab436da784b3fa00c65fcbe8597f9c4e79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Colomb?= <src@andre.colomb.de>
Date: Sun, 1 Nov 2020 14:29:55 +0100
Subject: [PATCH] lib/api: Allow OPTIONS method in CORS preflight request
 handling (ref #7017) (#7079)

This allows for checking GUI / API availability without actually doing
a GET or POST request.
---
 lib/api/api.go      | 4 ++--
 lib/api/api_test.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/api/api.go b/lib/api/api.go
index 9d8791bf5..bcc685b20 100644
--- a/lib/api/api.go
+++ b/lib/api/api.go
@@ -503,8 +503,8 @@ func corsMiddleware(next http.Handler, allowFrameLoading bool) http.Handler {
 		if r.Method == "OPTIONS" {
 			// Add a generous access-control-allow-origin header for CORS requests
 			w.Header().Add("Access-Control-Allow-Origin", "*")
-			// Only GET/POST Methods are supported
-			w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+			// Only GET/POST/OPTIONS Methods are supported
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
 			// Only these headers can be set
 			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, X-API-Key")
 			// The request is meant to be cached 10 minutes
diff --git a/lib/api/api_test.go b/lib/api/api_test.go
index 4ef45c956..5fa0af3e2 100644
--- a/lib/api/api_test.go
+++ b/lib/api/api_test.go
@@ -1073,8 +1073,8 @@ func TestOptionsRequest(t *testing.T) {
 	if resp.Header.Get("Access-Control-Allow-Origin") != "*" {
 		t.Fatal("OPTIONS on /rest/system/status should return a 'Access-Control-Allow-Origin: *' header")
 	}
-	if resp.Header.Get("Access-Control-Allow-Methods") != "GET, POST" {
-		t.Fatal("OPTIONS on /rest/system/status should return a 'Access-Control-Allow-Methods: GET, POST' header")
+	if resp.Header.Get("Access-Control-Allow-Methods") != "GET, POST, OPTIONS" {
+		t.Fatal("OPTIONS on /rest/system/status should return a 'Access-Control-Allow-Methods: GET, POST, OPTIONS' header")
 	}
 	if resp.Header.Get("Access-Control-Allow-Headers") != "Content-Type, X-API-Key" {
 		t.Fatal("OPTIONS on /rest/system/status should return a 'Access-Control-Allow-Headers: Content-Type, X-API-KEY' header")