From 4a4b2f62cc27b68da55f60e8c16823e0be5b01ae Mon Sep 17 00:00:00 2001 From: Katharina Irrgang Date: Wed, 18 Jan 2017 18:36:47 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20=20re-order=20api=20middlewares:?= =?UTF-8?q?=20cors=20middleware=20before=20connect-slashes=20(#7861)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes #7839 - when a browser sends a request to the API without a trailing slash, we are using connect-slashes to redirect permanently - but because the CORS middleware was registered after the redirect, the CORS headers got lost --- core/server/api/app.js | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/core/server/api/app.js b/core/server/api/app.js index 21fca43dcd..9ba3409843 100644 --- a/core/server/api/app.js +++ b/core/server/api/app.js @@ -35,17 +35,13 @@ var debug = require('debug')('ghost:api'), authenticatePublic = [ auth.authenticate.authenticateClient, auth.authenticate.authenticateUser, - auth.authorize.requiresAuthorizedUserPublicAPI, - // @TODO do we really need this multiple times or should it be global? - cors + auth.authorize.requiresAuthorizedUserPublicAPI ], // Require user for private endpoints authenticatePrivate = [ auth.authenticate.authenticateClient, auth.authenticate.authenticateUser, - auth.authorize.requiresAuthorizedUser, - // @TODO do we really need this multiple times or should it be global? - cors + auth.authorize.requiresAuthorizedUser ]; // @TODO refactor/clean this up - how do we want the routing to work long term? @@ -226,6 +222,8 @@ module.exports = function setupApiApp() { apiApp.use(bodyParser.json({limit: '1mb'})); apiApp.use(bodyParser.urlencoded({extended: true, limit: '1mb'})); + apiApp.use(cors); + // send 503 json response in case of maintenance apiApp.use(maintenance);