1 files changed, 8 insertions, 3 deletions

diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 8bdacf550b6..fef9632487e 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -38,6 +38,7 @@ use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\Security\Bruteforce\IThrottler;
 use ReflectionMethod;
 
@@ -58,9 +59,9 @@ class CORSMiddleware extends Middleware {
 	private $throttler;
 
 	public function __construct(IRequest $request,
-								ControllerMethodReflector $reflector,
-								Session $session,
-								IThrottler $throttler) {
+		ControllerMethodReflector $reflector,
+		Session $session,
+		IThrottler $throttler) {
 		$this->request = $request;
 		$this->reflector = $reflector;
 		$this->session = $session;
@@ -91,6 +92,10 @@ class CORSMiddleware extends Middleware {
 			if ($this->request->passesCSRFCheck()) {
 				return;
 			}
+			// Skip CORS check for requests with AppAPI auth.
+			if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {
+				return;
+			}
 			$this->session->logout();
 			try {
 				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {