cors to login

2026-02-21 04:55:36 +01:00 · 2024-01-17 09:33:18 +01:00 · 2024-01-17 09:33:18 +01:00 · ecff4e5244
commit ecff4e5244
parent 92d071cea2
5 changed files with 52 additions and 3 deletions
--- a/next.config.js
+++ b/next.config.js
@ -17,6 +17,22 @@ const headers = [
    key: 'X-DNS-Prefetch-Control',
    value: 'on',
  },
+  {
+    key: 'Access-Control-Allow-Credentials',
+    value: 'true',
+  },
+  {
+    key: 'Access-Control-Allow-Origin',
+    value: '*',
+  },
+  {
+    key: 'Access-Control-Allow-Headers',
+    value: 'Content-Type',
+  },
+  {
+    key: 'Access-Control-Allow-Methods',
+    value: 'GET, OPTIONS, PATCH, DELETE, POST, PUT',
+  },
  {
    key: 'Content-Security-Policy',
    value: contentSecurityPolicy
@ -26,6 +42,11 @@ const headers = [
  },
 ];

+headers.push({
+  key: 'Access-Control-Allow-Origin',
+  value: '*',
+});
+
 if (process.env.FORCE_SSL) {
  headers.push({
    key: 'Strict-Transport-Security',
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "umami",
-  "version": "2.9.0",
+  "version": "2.9.1",
  "description": "A simple, fast, privacy-focused alternative to Google Analytics.",
  "author": "Mike Cao <mike@mikecao.com>",
  "license": "MIT",
--- a/src/pages/api/auth/login.ts
+++ b/src/pages/api/auth/login.ts
@ -70,6 +70,8 @@ export default async (
    log('Login failed:', { username, user });

    return unauthorized(res, 'message.incorrect-username-password');
+  } else if (req.method === 'OPTIONS') {
+    return ok(res);
  }

  return methodNotAllowed(res);
--- a/test.html
+++ b/test.html
@ -0,0 +1,28 @@
+<html>
+<script>
+    async function postData(url = "", data = {}) {
+  // Default options are marked with *
+  const response = await fetch(url, {
+    method: "GET", // *GET, POST, PUT, DELETE, etc.
+    mode: "cors", // no-cors, *cors, same-origin
+    cache: "no-cache", // *default, no-cache, reload, force-cache, only-if-cached
+    credentials: "same-origin", // include, *same-origin, omit
+    headers: {
+      "Content-Type": "application/json",
+      'Access-Control-Allow-Origin': '*',
+      "Authorization":"Bearer 6QEzcKYfrgQAemg1Z5e9oGwbGzPy2OAV3UH2N5IQF0Z7MwIhqtWTTCBCnQQcuFQEUJa3lXfkwD8G/SbFPKklcfDfbszJqIdxeDPwWbPY0ogSGebEVdz9lZBb0dQmgSEOEpVgG4ux+Qt18PzYX6fLEbCMqO6wR7A3Z5StDDct6s35kEQj1fW7ln7HXkgp22MJx3hqNgJ/01D6avAA+dv2A8uG3j64zaqmlK0S4tntczXbXGfR8u9x3qmMm74o+JMcfSnRiNMVA0zbDOVHx4w/GKzqfYs3HASY+qN7upwYIYPSk4AAY2o24cfVn5ZPGqyRuF91RXechyVe98n4tBll1edQ+XkqrAXQ6w==",
+      "Orgin":"localhost"
+      // 'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    redirect: "follow", // manual, *follow, error
+    referrerPolicy: "no-referrer", // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
+    //body: JSON.stringify(data), // body data type must match "Content-Type" header
+  });
+  return response.json(); // parses JSON response into native JavaScript objects
+}
+
+postData("http://localhost:8080/api/websites/", { answer: 42 }).then((data) => {
+  console.log(data); // JSON data parsed by `data.json()` call
+});
+</script>
+</htm>
--- a/yarn.lock
+++ b/yarn.lock
@ -1,8 +1,6 @@
 # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
 # yarn lockfile v1

-strict-ssl false
-enableStrictSsl false

 "@aashutoshrathi/word-wrap@^1.2.3":
  version "1.2.6"