diff --git a/app/controllers/application_controller/sets_headers.rb b/app/controllers/application_controller/sets_headers.rb index 93b09eff2..bf0133d02 100644 --- a/app/controllers/application_controller/sets_headers.rb +++ b/app/controllers/application_controller/sets_headers.rb @@ -35,19 +35,12 @@ module ApplicationController::SetsHeaders # request, return only the necessary headers and return an empty # text/plain. def cors_preflight_check - return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth' - - cors_preflight_check_execute - end - - def cors_preflight_check_execute - return true if request.method != 'OPTIONS' + return if request.method != 'OPTIONS' headers['Access-Control-Allow-Origin'] = '*' headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, PATCH, OPTIONS' headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language' headers['Access-Control-Max-Age'] = '1728000' - render text: '', content_type: 'text/plain' - false + render plain: '' end end diff --git a/app/controllers/form_controller.rb b/app/controllers/form_controller.rb index 3b0f5e511..00e2f33dc 100644 --- a/app/controllers/form_controller.rb +++ b/app/controllers/form_controller.rb @@ -2,7 +2,7 @@ class FormController < ApplicationController skip_before_action :verify_csrf_token - before_action :cors_preflight_check_execute + before_action :cors_preflight_check after_action :set_access_control_headers_execute skip_before_action :user_device_check diff --git a/config/routes.rb b/config/routes.rb index cb6722b7b..55315ffab 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -6,6 +6,7 @@ Rails.application.routes.draw do # just remember to delete public/index.html. root to: 'init#index', via: :get + root to: 'errors#routing', via: %i[post put delete options] # load routes from external files dir = File.expand_path(__dir__) @@ -18,6 +19,5 @@ Rails.application.routes.draw do end end - match '*a', to: 'errors#routing', via: %i[get post put delete] - + match '*a', to: 'errors#routing', via: %i[get post put delete options] end diff --git a/spec/requests/cors_preflight_check_spec.rb b/spec/requests/cors_preflight_check_spec.rb new file mode 100644 index 000000000..b71f85a25 --- /dev/null +++ b/spec/requests/cors_preflight_check_spec.rb @@ -0,0 +1,25 @@ +require 'rails_helper' + +RSpec.describe 'CORS Preflight Check', type: :request do + + shared_examples 'empty response' do + it { expect(response).to have_http_status(:ok) } + it { expect(response.body).to be_empty } + end + + context 'valid route' do + before do + process :options, '/' + end + + include_examples 'empty response' + end + + context 'invalid route' do + before do + process :options, '/this_is_an_invalid_route' + end + + include_examples 'empty response' + end +end