6451: Don't crash on ArgumentError. Add test to verify that it doesn't crash.

[arvados.git] / services / api / config / routes.rb

diff --git a/services/api/config/routes.rb b/services/api/config/routes.rb
index c3539387f3c8fc90e222c0c213384ee2d75fe292..27fd67cece046268f449a8cc18ad35b30d128b44 100644 (file)
--- a/services/api/config/routes.rb
+++ b/services/api/config/routes.rb
@@ -3,6 +3,14 @@ Server::Application.routes.draw do
 
   # See http://guides.rubyonrails.org/routing.html
 
+  # OPTIONS requests are not allowed at routes that use cookies.
+  ['/auth/*a', '/login', '/logout'].each do |nono|
+    match nono, :to => 'user_sessions#cross_origin_forbidden', :via => 'OPTIONS'
+  end
+  # OPTIONS at discovery and API paths get an empty response with CORS headers.
+  match '/discovery/v1/*a', :to => 'static#empty', :via => 'OPTIONS'
+  match '/arvados/v1/*a', :to => 'static#empty', :via => 'OPTIONS'
+
   namespace :arvados do
     namespace :v1 do
       resources :api_client_authorizations do
@@ -70,6 +78,8 @@ Server::Application.routes.draw do
   # omniauth
   match '/auth/:provider/callback', :to => 'user_sessions#create'
   match '/auth/failure', :to => 'user_sessions#failure'
+  # not handled by omniauth provider -> 403 with no CORS headers.
+  get '/auth/*a', :to => 'user_sessions#cross_origin_forbidden'
 
   # Custom logout
   match '/login', :to => 'user_sessions#login'