Set AllowedHeaders on API CORS handler (#16524)

Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers
to pull API.

Fix #16100

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index b1933366f06968971e35c582ad42a2822b051265..b2202254daa97a5159c03d4b25d5df0d00577a7b 100644 (file)
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -569,6 +569,7 @@ func Routes() *web.Route {
                        //setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
                        AllowedMethods:   setting.CORSConfig.Methods,
                        AllowCredentials: setting.CORSConfig.AllowCredentials,
+                       AllowedHeaders:   []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"},
                        MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
                }))
        }

diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
index ba47c3eb8ea65836529a5a156ecbe7cd5082851a..3ae7b2683e129e7a7288d8ec6be948486dfaa953 100644 (file)
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -1254,5 +1254,6 @@ func GetPullRequestCommits(ctx *context.APIContext) {
        ctx.Header().Set("X-Total-Count", fmt.Sprintf("%d", totalNumberOfCommits))
        ctx.Header().Set("X-PageCount", strconv.Itoa(totalNumberOfPages))
        ctx.Header().Set("X-HasMore", strconv.FormatBool(listOptions.Page < totalNumberOfPages))
+       ctx.Header().Set("Access-Control-Expose-Headers", "X-Total-Count, X-PerPage, X-Total, X-PageCount, X-HasMore, Link")
        ctx.JSON(http.StatusOK, &apiCommits)
 }