X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/224f384d411bb1b4cccc7165c55bb64fd5c695ad..e67d0f5d43c56f78694ea4a5f93acec5c93cd0fb:/services/arv-git-httpd/auth_handler.go

diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go
index 9f92cd1b72..b7373b5c1e 100644
--- a/services/arv-git-httpd/auth_handler.go
+++ b/services/arv-git-httpd/auth_handler.go
@@ -1,3 +1,7 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
 package main
 
 import (
@@ -39,6 +43,29 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 
 	w := httpserver.WrapResponseWriter(wOrig)
 
+	if r.Method == "OPTIONS" {
+		method := r.Header.Get("Access-Control-Request-Method")
+		if method != "GET" && method != "POST" {
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Max-Age", "86400")
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	if r.Header.Get("Origin") != "" {
+		// Allow simple cross-origin requests without user
+		// credentials ("user credentials" as defined by CORS,
+		// i.e., cookies, HTTP authentication, and client-side
+		// SSL certificates. See
+		// http://www.w3.org/TR/cors/#user-credentials).
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	}
+
 	defer func() {
 		if w.WroteStatus() == 0 {
 			// Nobody has called WriteHeader yet: that
@@ -74,7 +101,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	// "foo/bar".
 	pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2)
 	if len(pathParts) != 2 {
-		statusCode, statusText = http.StatusBadRequest, "bad request"
+		statusCode, statusText = http.StatusNotFound, "not found"
 		return
 	}
 	repoName = pathParts[0]