From be3a09b73ad60f0de713a0c8f10e44be113b4aa3 Mon Sep 17 00:00:00 2001
From: MrMelon54 <github@mrmelon54.com>
Date: Thu, 14 Dec 2023 23:41:39 +0000
Subject: [PATCH] Add CORS headers to /verify endpoint

---
 server/server.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/server.go b/server/server.go
index 749d75f..dad2fc7 100644
--- a/server/server.go
+++ b/server/server.go
@@ -63,11 +63,11 @@ func NewHttpServer(conf Conf, signer mjwt.Signer) *HttpServer {
 		rw.WriteHeader(http.StatusOK)
 		_, _ = fmt.Fprintln(rw, "What is this?")
 	})
-	r.POST("/verify", hs.verifyHandler)
 	r.GET("/popup", hs.flowPopup)
 	r.POST("/popup", hs.flowPopupPost)
 	r.GET("/callback", hs.flowCallback)
 
+	// setup CORS options for `/verify` and `/refresh` endpoints
 	var corsAccessControl = cors.New(cors.Options{
 		AllowOriginFunc: func(origin string) bool {
 			load := hs.services.Load()
@@ -78,6 +78,13 @@ func NewHttpServer(conf Conf, signer mjwt.Signer) *HttpServer {
 		AllowedHeaders:   []string{"Content-Type"},
 		AllowCredentials: true,
 	})
+
+	// `/verify` and `/refresh` need CORS headers to be usable on other domains
+	r.POST("/verify", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		corsAccessControl.ServeHTTP(rw, req, func(writer http.ResponseWriter, request *http.Request) {
+			hs.verifyHandler(rw, req, params)
+		})
+	})
 	r.POST("/refresh", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		corsAccessControl.ServeHTTP(rw, req, func(writer http.ResponseWriter, request *http.Request) {
 			hs.refreshHandler(rw, req, params)