From 1cbb139476455b156d049f227225a63f1cf6d3c3 Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@znuny.com>
Date: Thu, 13 Feb 2020 11:49:33 +0100
Subject: [PATCH] Enhancement: Made CORS Preflight Check specification conform.

---
 .../application_controller/sets_headers.rb    | 11 ++------
 app/controllers/form_controller.rb            |  2 +-
 config/routes.rb                              |  4 +--
 spec/requests/cors_preflight_check_spec.rb    | 25 +++++++++++++++++++
 4 files changed, 30 insertions(+), 12 deletions(-)
 create mode 100644 spec/requests/cors_preflight_check_spec.rb

diff --git a/app/controllers/application_controller/sets_headers.rb b/app/controllers/application_controller/sets_headers.rb
index 93b09eff2..bf0133d02 100644
--- a/app/controllers/application_controller/sets_headers.rb
+++ b/app/controllers/application_controller/sets_headers.rb
@@ -35,19 +35,12 @@ module ApplicationController::SetsHeaders
   # request, return only the necessary headers and return an empty
   # text/plain.
   def cors_preflight_check
-    return true if @_auth_type != 'token_auth' && @_auth_type != 'basic_auth'
-
-    cors_preflight_check_execute
-  end
-
-  def cors_preflight_check_execute
-    return true if request.method != 'OPTIONS'
+    return if request.method != 'OPTIONS'
 
     headers['Access-Control-Allow-Origin']      = '*'
     headers['Access-Control-Allow-Methods']     = 'POST, GET, PUT, DELETE, PATCH, OPTIONS'
     headers['Access-Control-Allow-Headers']     = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
     headers['Access-Control-Max-Age']           = '1728000'
-    render text: '', content_type: 'text/plain'
-    false
+    render plain: ''
   end
 end
diff --git a/app/controllers/form_controller.rb b/app/controllers/form_controller.rb
index 3b0f5e511..00e2f33dc 100644
--- a/app/controllers/form_controller.rb
+++ b/app/controllers/form_controller.rb
@@ -2,7 +2,7 @@
 
 class FormController < ApplicationController
   skip_before_action :verify_csrf_token
-  before_action :cors_preflight_check_execute
+  before_action :cors_preflight_check
   after_action :set_access_control_headers_execute
   skip_before_action :user_device_check
 
diff --git a/config/routes.rb b/config/routes.rb
index cb6722b7b..55315ffab 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,6 +6,7 @@ Rails.application.routes.draw do
 
   # just remember to delete public/index.html.
   root to: 'init#index', via: :get
+  root to: 'errors#routing', via: %i[post put delete options]
 
   # load routes from external files
   dir = File.expand_path(__dir__)
@@ -18,6 +19,5 @@ Rails.application.routes.draw do
     end
   end
 
-  match '*a', to: 'errors#routing', via: %i[get post put delete]
-
+  match '*a', to: 'errors#routing', via: %i[get post put delete options]
 end
diff --git a/spec/requests/cors_preflight_check_spec.rb b/spec/requests/cors_preflight_check_spec.rb
new file mode 100644
index 000000000..b71f85a25
--- /dev/null
+++ b/spec/requests/cors_preflight_check_spec.rb
@@ -0,0 +1,25 @@
+require 'rails_helper'
+
+RSpec.describe 'CORS Preflight Check', type: :request do
+
+  shared_examples 'empty response' do
+    it { expect(response).to have_http_status(:ok) }
+    it { expect(response.body).to be_empty }
+  end
+
+  context 'valid route' do
+    before do
+      process :options, '/'
+    end
+
+    include_examples 'empty response'
+  end
+
+  context 'invalid route' do
+    before do
+      process :options, '/this_is_an_invalid_route'
+    end
+
+    include_examples 'empty response'
+  end
+end