From 16b9ee86bff5d91eacea625b1ca446713f0bbaf5 Mon Sep 17 00:00:00 2001 From: jessevz Date: Mon, 1 Dec 2025 09:00:24 +0100 Subject: [PATCH] Ignore OPTIONS request to validate with JWT --- src/api/v2/index.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/api/v2/index.php b/src/api/v2/index.php index 2eb515c84..535c5e919 100644 --- a/src/api/v2/index.php +++ b/src/api/v2/index.php @@ -54,6 +54,7 @@ use DBA\User; use DBA\Factory; use JimTools\JwtAuth\Handlers\BeforeHandlerInterface; +use JimTools\JwtAuth\Rules\RequestMethodRule; use JimTools\JwtAuth\Rules\RequestPathRule; use Psr\Http\Message\ServerRequestInterface; @@ -152,7 +153,8 @@ public function get($key): string { ); $rules = [ - new RequestPathRule(ignore: ["/api/v2/auth/token", "/api/v2/helper/resetUserPassword", "/api/v2/openapi.json"]) + new RequestPathRule(ignore: ["/api/v2/auth/token", "/api/v2/helper/resetUserPassword", "/api/v2/openapi.json"]), + new RequestMethodRule(ignore: ["OPTIONS"]) ]; return new JwtAuthentication($options, $decoder, $rules); }); @@ -207,9 +209,10 @@ public static function addCORSheaders(Request $request, $response) { $methods = $routingResults->getAllowedMethods(); $requestHeaders = $request->getHeaderLine('Access-Control-Request-Headers'); - if (getenv('HASHTOPOLIS_FRONTEND_URLS') !== false) { - if(in_array($request->getHeaderLine('HTTP_ORIGIN'), explode(',', getenv('HASHTOPOLIS_FRONTEND_URLS')), true)) { - $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeaderLine('HTTP_ORIGIN')); + $frontend_urls = getenv('HASHTOPOLIS_FRONTEND_URLS'); + if ($frontend_urls !== false) { + if(in_array($request->getHeaderLine('Origin'), explode(',', $frontend_urls), true)) { + $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeaderLine('Origin')); } else { error_log("CORS error: Allow-Origin doesn't match. Please make sure to include the used frontend in the .env file.");