From 4bcd5ed416dee1b6a997f44244a61299abf2b7f3 Mon Sep 17 00:00:00 2001
From: fipwmaqzufheoxq92ebc
 <29818044+fipwmaqzufheoxq92ebc@users.noreply.github.com>
Date: Mon, 31 Aug 2020 18:18:03 +0200
Subject: [PATCH] CORS: don't require authentication on OPTIONS

---
 app.php                       |  2 +-
 middleware/CorsMiddleware.php | 21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/app.php b/app.php
index 6cb9703e..2eca5054 100644
--- a/app.php
+++ b/app.php
@@ -79,5 +79,5 @@ $errorMiddleware->setDefaultErrorHandler(
 	new \Grocy\Controllers\ExceptionController($app, $container)
 );
 
-$app->add(CorsMiddleware::class);
+$app->add(new CorsMiddleware($app->getResponseFactory()));
 $app->run();
diff --git a/middleware/CorsMiddleware.php b/middleware/CorsMiddleware.php
index 1c9a77d2..f6d98690 100644
--- a/middleware/CorsMiddleware.php
+++ b/middleware/CorsMiddleware.php
@@ -2,22 +2,37 @@
 
 namespace Grocy\Middleware;
 
+use Psr\Http\Message\ResponseFactoryInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
 use Psr\Http\Message\ResponseInterface as Response;
 use Slim\Routing\RouteContext;
 
-class CorsMiddleware extends BaseMiddleware
+class CorsMiddleware
 {
+	/**
+	 * @var ResponseFactoryInterface
+	 */
+	private $responseFactory;
+
+	public function __construct(ResponseFactoryInterface $responseFactory)
+	{
+		$this->responseFactory = $responseFactory;
+	}
+
 	public function __invoke(Request $request, RequestHandler $handler): Response
 	{
+		if ($request->getMethod() == "OPTIONS")
+			$response = $this->responseFactory->createResponse(200);
+		else {
+			$response = $handler->handle($request);
+
+		}
 		//$routeContext = RouteContext::fromRequest($request);
 		//$routingResults = $routeContext->getRoutingResults();
 		//$methods = $routingResults->getAllowedMethods();
 		//$requestHeaders = $request->getHeaderLine('Access-Control-Request-Headers');
 
-		$response = $handler->handle($request);
-
 		$response = $response->withHeader('Access-Control-Allow-Origin', '*');
 		$response = $response->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
 		$response = $response->withHeader('Access-Control-Allow-Headers', '*');