fix(auth): limit admin cors access to only localhost:3000
This commit is contained in:
parent
2c8e11db8a
commit
9215d9ba0f
@ -25,11 +25,9 @@ func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
|
|||||||
password := data.GetAdminPassword()
|
password := data.GetAdminPassword()
|
||||||
realm := "Owncast Authenticated Request"
|
realm := "Owncast Authenticated Request"
|
||||||
|
|
||||||
// The following line is kind of a work around.
|
// Alow CORS only for localhost:3000 to support Owncast development.
|
||||||
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
|
validAdminHost := "http://localhost:3000"
|
||||||
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
|
w.Header().Set("Access-Control-Allow-Origin", validAdminHost)
|
||||||
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
|
|
||||||
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
|
||||||
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
||||||
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
|
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user