Merge pull request #1819 from al45tair/cors-auth

fix: allow Authorization header when doing CORS
2020-10-06 14:35:21 +02:00 · 2020-10-06 14:35:21 +02:00 · d1f599dd32
parent a28f5bb218 9187aa669d
commit d1f599dd32
1 changed files with 8 additions and 2 deletions
--- a/server/server.go
+++ b/server/server.go
@ -294,8 +294,14 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	handleWithCORS := func(p string, h http.HandlerFunc) {
 		var handler http.Handler = h
 		if len(c.AllowedOrigins) > 0 {
-			corsOption := handlers.AllowedOrigins(c.AllowedOrigins)
-			handler = handlers.CORS(corsOption)(handler)
+			allowedHeaders := []string{
+				"Authorization",
+			}
+			cors := handlers.CORS(
+				handlers.AllowedOrigins(c.AllowedOrigins),
+				handlers.AllowedHeaders(allowedHeaders),
+			)
+			handler = cors(handler)
 		}
 		r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, handler))
 	}