Update CORS

vishalegbert-ttd · vishalegbert-ttd · commit 817b68a89073 · 2025-12-01T11:59:01.000+11:00
diff --git a/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java b/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java
@@ -235,13 +235,8 @@ public void start(Promise<Void> startPromise) throws Exception {
 
     }
 
-    private Router createRoutesSetup() throws IOException {
-        final Router router = Router.router(vertx);
-
-        router.allowForward(AllowForwardHeaders.X_FORWARD);
-        router.route().handler(new RequestCapturingHandler(siteProvider));
-        router.route().handler(new ClientVersionCapturingHandler("static/js", "*.js", clientKeyProvider));
-        router.route().handler(CorsHandler.create()
+    private CorsHandler createCorsHandler() {
+        return CorsHandler.create()
                 .addRelativeOrigin(".*.")
                 .allowedMethod(io.vertx.core.http.HttpMethod.GET)
                 .allowedMethod(io.vertx.core.http.HttpMethod.POST)
@@ -251,7 +246,17 @@ private Router createRoutesSetup() throws IOException {
                 .allowedHeader("Access-Control-Allow-Credentials")
                 .allowedHeader("Access-Control-Allow-Origin")
                 .allowedHeader("Access-Control-Allow-Headers")
-                .allowedHeader("Content-Type"));
+                .allowedHeader("Content-Type");
+    }
+
+    private Router createRoutesSetup() throws IOException {
+        final Router router = Router.router(vertx);
+
+        router.allowForward(AllowForwardHeaders.X_FORWARD);
+        router.route().handler(new RequestCapturingHandler(siteProvider));
+        router.route().handler(new ClientVersionCapturingHandler("static/js", "*.js", clientKeyProvider));
+        router.route(V2_TOKEN_VALIDATE.toString()).handler(createCorsHandler().allowedHeader("Authorization"));
+        router.route().handler(createCorsHandler());
         router.route().handler(new StatsCollectorHandler(_statsCollectorQueue, vertx));
         router.route("/static/*").handler(StaticHandler.create("static"));
         router.route().handler(ctx -> {
diff --git a/src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java b/src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java
@@ -2311,6 +2311,50 @@ void tokenValidateWithEmailHash_Mismatch(Vertx vertx, VertxTestContext testConte
                 });
     }
 
+    @Test
+    void corsTokenValidateAllowsAuthorizationHeader(Vertx vertx, VertxTestContext testContext) {
+        WebClient client = WebClient.create(vertx);
+        client.requestAbs(io.vertx.core.http.HttpMethod.OPTIONS, getUrlForEndpoint("v2/token/validate"))
+                .putHeader("Origin", "https://example.com")
+                .putHeader("Access-Control-Request-Method", "POST")
+                .putHeader("Access-Control-Request-Headers", "Content-Type, Authorization")
+                .send(ar -> {
+                    assertTrue(ar.succeeded());
+                    HttpResponse<Buffer> response = ar.result();
+                    assertEquals(204, response.statusCode());
+
+                    String allowedHeaders = response.getHeader("Access-Control-Allow-Headers");
+                    assertNotNull(allowedHeaders, "Access-Control-Allow-Headers header should be present");
+                    assertTrue(allowedHeaders.contains("Content-Type"), "Content-Type should be allowed");
+                    assertTrue(allowedHeaders.contains(ClientVersionHeader), "Client version header should be allowed");
+                    assertTrue(allowedHeaders.contains("Authorization"), "Authorization header should be allowed for token/validate");
+
+                    testContext.completeNow();
+                });
+    }
+
+    @Test
+    void corsTokenGenerateDoesNotAllowAuthorizationHeader(Vertx vertx, VertxTestContext testContext) {
+        WebClient client = WebClient.create(vertx);
+        client.requestAbs(io.vertx.core.http.HttpMethod.OPTIONS, getUrlForEndpoint("v2/token/generate"))
+                .putHeader("Origin", "https://example.com")
+                .putHeader("Access-Control-Request-Method", "POST")
+                .putHeader("Access-Control-Request-Headers", "Content-Type, Authorization")
+                .send(ar -> {
+                    assertTrue(ar.succeeded());
+                    HttpResponse<Buffer> response = ar.result();
+                    assertEquals(204, response.statusCode());
+
+                    String allowedHeaders = response.getHeader("Access-Control-Allow-Headers");
+                    assertNotNull(allowedHeaders, "Access-Control-Allow-Headers header should be present");
+                    assertTrue(allowedHeaders.contains("Content-Type"), "Content-Type should be allowed");
+                    assertTrue(allowedHeaders.contains(ClientVersionHeader), "Client version header should be allowed");
+                    assertFalse(allowedHeaders.contains("Authorization"), "Authorization header should NOT be allowed for token/generate");
+
+                    testContext.completeNow();
+                });
+    }
+
     @Test
     void identityMapBatchBothEmailAndHashEmpty(Vertx vertx, VertxTestContext testContext) {
         final int clientSiteId = 201;
