Merge pull request #288 from Earlopain/cors

[CORS] Allow authorization header

app/controllers/application_controller.rb

@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
   class APIThrottled < Exception; end
 
-  skip_forgery_protection if: -> { SessionLoader.new(request).has_api_authentication? }
+  skip_forgery_protection if: -> { SessionLoader.new(request).has_api_authentication? || request.options? }
   before_action :reset_current_user
   before_action :set_current_user
   before_action :normalize_search
@@ -23,6 +23,11 @@ class ApplicationController < ActionController::Base
   # here, so calling `rescue_exception` would cause a double render error.
   rescue_from ActionController::InvalidCrossOriginRequest, with: -> {}
 
+  def enable_cors
+    response.headers["Access-Control-Allow-Origin"] = "*"
+    response.headers["Access-Control-Allow-Headers"] = "Authorization"
+  end
+
   protected
 
   def self.rescue_with(*klasses, status: 500)
@@ -31,10 +36,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def enable_cors
-    response.headers["Access-Control-Allow-Origin"] = "*"
-  end
-
   def api_check
     if !CurrentUser.is_anonymous? && !request.get? && !request.head?
       throttled = CurrentUser.user.token_bucket.throttled?

config/routes.rb

@@ -407,6 +407,8 @@ Rails.application.routes.draw do
     end
   end
 
+  options "*all", to: "application#enable_cors"
+
   # aliases
   resources :wpages, :controller => "wiki_pages"
   resources :ftopics, :controller => "forum_topics"