Commit 19e54858 authored by dcouture's avatar dcouture

Allow CORS on /oauth/token

parent eb380cd3
---
title: Allow cross-origin requests on /oauth/token
merge_request: 52641
author:
type: fixed
...@@ -289,6 +289,14 @@ module Gitlab ...@@ -289,6 +289,14 @@ module Gitlab
methods: :any, methods: :any,
expose: headers_to_expose expose: headers_to_expose
end end
# Cross-origin requests must be enabled for the Authorization code with PKCE OAuth flow when used from a browser.
allow do
origins '*'
resource '/oauth/token',
credentials: false,
methods: [:post]
end
end end
# Use caching across all environments # Use caching across all environments
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Oauth::TokensController do
it 'allows cross-origin POST requests' do
post '/oauth/token', headers: { 'Origin' => 'http://notgitlab.com' }
expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
expect(response.headers['Access-Control-Allow-Methods']).to eq 'POST'
expect(response.headers['Access-Control-Allow-Headers']).to be_nil
expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment