diff --git a/routers/routes/web.go b/routers/routes/web.go index 0130009059f4..22774b2cdccc 100644 --- a/routers/routes/web.go +++ b/routers/routes/web.go @@ -47,6 +47,7 @@ import ( "gitea.com/go-chi/session" "github.com/NYTimes/gziphandler" "github.com/go-chi/chi/middleware" + "github.com/go-chi/cors" "github.com/prometheus/client_golang/prometheus" "github.com/tstranex/u2f" "github.com/unknwon/com" @@ -389,7 +390,18 @@ func RegisterRoutes(m *web.Route) { // TODO manage redirection m.Post("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth) }, ignSignInAndCsrf, reqSignIn) - m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + if setting.CORSConfig.Enabled { + m.Post("/login/oauth/access_token", cors.Handler(cors.Options{ + //Scheme: setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option + AllowedOrigins: setting.CORSConfig.AllowDomain, + //setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option + AllowedMethods: setting.CORSConfig.Methods, + AllowCredentials: setting.CORSConfig.AllowCredentials, + MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), + }), bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + } else { + m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) + } m.Group("/user/settings", func() { m.Get("", userSetting.Profile)