Make OPTIONS method on MSC3916 endpoints available without authentica…

…tion. OPTIONS method is usually sent by browser in preflight requests, most of the time we cannot control preflight request to add auth header. Synapse will return a 204 response directly without authentication for those OPTIONS method. According to firefox's documentation, both 200 and 204 are acceptable so I think there is no need to change handler in dendrite. This closes #3424 No need to add a test because this is just a fix and I have tested on my Cinny Web client personally. Signed-off-by: arenekosreal <17194552+arenekosreal@users.noreply.github.com>
matrix-org · Sep 20, 2024 · 29028d7 · 29028d7
1 parent c914f06
commit 29028d7
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/internal/httputil/httpapi.go b/internal/httputil/httpapi.go
@@ -210,6 +210,12 @@ func MakeExternalAPI(metricsName string, f func(*http.Request) util.JSONResponse
 // This is used to serve HTML alongside JSON error messages
 func MakeHTTPAPI(metricsName string, userAPI userapi.QueryAcccessTokenAPI, enableMetrics bool, f func(http.ResponseWriter, *http.Request), checks ...AuthAPIOption) http.Handler {
 	withSpan := func(w http.ResponseWriter, req *http.Request) {
+		if req.Method == http.MethodOptions {
+			util.SetCORSHeaders(w)
+			w.WriteHeader(http.StatusOK) // Maybe http.StatusNoContent?
+			return
+		}
+
 		trace, ctx := internal.StartTask(req.Context(), metricsName)
 		defer trace.EndTask()
 		req = req.WithContext(ctx)