fix(auth): limit admin cors access to only localhost:3000

This commit is contained in:
Gabe Kangas 2023-12-18 22:05:49 -08:00
parent 2c8e11db8a
commit 9215d9ba0f
No known key found for this signature in database
GPG Key ID: 4345B2060657F330

View File

@ -25,11 +25,9 @@ func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
password := data.GetAdminPassword() password := data.GetAdminPassword()
realm := "Owncast Authenticated Request" realm := "Owncast Authenticated Request"
// The following line is kind of a work around. // Alow CORS only for localhost:3000 to support Owncast development.
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the validAdminHost := "http://localhost:3000"
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it. w.Header().Set("Access-Control-Allow-Origin", validAdminHost)
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Credentials", "true") w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization") w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")