From 0044e804912099a6478b747230cdc37b2c8a3047 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Thu, 4 Mar 2021 01:25:30 +0000
Subject: [PATCH] Add CORS config on to /login/oauth/access_token endpoint
 (#14850)

Fix #7204

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lauris BH <lauris@nix.lv>
---
 routers/routes/web.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/routers/routes/web.go b/routers/routes/web.go
index 013000905..22774b2cd 100644
--- a/routers/routes/web.go
+++ b/routers/routes/web.go
@@ -47,6 +47,7 @@ import (
 	"gitea.com/go-chi/session"
 	"github.com/NYTimes/gziphandler"
 	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/cors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/tstranex/u2f"
 	"github.com/unknwon/com"
@@ -389,7 +390,18 @@ func RegisterRoutes(m *web.Route) {
 		// TODO manage redirection
 		m.Post("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth)
 	}, ignSignInAndCsrf, reqSignIn)
-	m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth)
+	if setting.CORSConfig.Enabled {
+		m.Post("/login/oauth/access_token", cors.Handler(cors.Options{
+			//Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
+			AllowedOrigins: setting.CORSConfig.AllowDomain,
+			//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
+			AllowedMethods:   setting.CORSConfig.Methods,
+			AllowCredentials: setting.CORSConfig.AllowCredentials,
+			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),
+		}), bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth)
+	} else {
+		m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth)
+	}
 
 	m.Group("/user/settings", func() {
 		m.Get("", userSetting.Profile)