Set AllowedHeaders on API CORS handler (#16524)

Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers to pull API. Fix #16100 Signed-off-by: Andrew Thornton <[email protected]>
go-gitea · Aug 4, 2021 · 19e2c6a · 19e2c6a
1 parent 7c4172e
commit 19e2c6a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -569,6 +569,7 @@ func Routes() *web.Route {
 			//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
 			AllowedMethods:   setting.CORSConfig.Methods,
 			AllowCredentials: setting.CORSConfig.AllowCredentials,
+			AllowedHeaders:   []string{"Authorization", "X-CSRFToken", "X-Gitea-OTP"},
 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
 		}))
 	}

diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
@@ -1254,5 +1254,6 @@ func GetPullRequestCommits(ctx *context.APIContext) {
 	ctx.Header().Set("X-Total-Count", fmt.Sprintf("%d", totalNumberOfCommits))
 	ctx.Header().Set("X-PageCount", strconv.Itoa(totalNumberOfPages))
 	ctx.Header().Set("X-HasMore", strconv.FormatBool(listOptions.Page < totalNumberOfPages))
+	ctx.Header().Set("Access-Control-Expose-Headers", "X-Total-Count, X-PerPage, X-Total, X-PageCount, X-HasMore, Link")
 	ctx.JSON(http.StatusOK, &apiCommits)
 }