Skip to content

Commit 00a92f3

Browse files
author
qxip
committed
CORS/Auth improvements
1 parent ff437d5 commit 00a92f3

File tree

1 file changed

+15
-16
lines changed

1 file changed

+15
-16
lines changed

src/httpserver_extension.cpp

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -219,23 +219,17 @@ static std::string ConvertResultToXML(MaterializedQueryResult &result) {
219219
void HandleHttpRequest(const duckdb_httplib_openssl::Request& req, duckdb_httplib_openssl::Response& res) {
220220
std::string query;
221221

222-
// Check authentication
223-
if (!IsAuthenticated(req)) {
224-
res.status = 401;
225-
res.set_content("Unauthorized", "text/plain");
226-
return;
227-
}
228-
229-
// CORS allow
222+
// CORS allow - set these headers for all requests
230223
res.set_header("Access-Control-Allow-Origin", "*");
231224
res.set_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PUT");
232-
res.set_header("Access-Control-Allow-Headers", "*");
225+
res.set_header("Access-Control-Allow-Headers", "Content-Type, X-API-Key, Authorization, X-ClickHouse-Format, format");
233226
res.set_header("Access-Control-Allow-Credentials", "true");
234227
res.set_header("Access-Control-Max-Age", "86400");
235228

236-
// Handle preflight OPTIONS request
237-
if (req.method == "OPTIONS") {
238-
res.status = 204; // No content
229+
// Check authentication for actual requests (OPTIONS are handled separately)
230+
if (!IsAuthenticated(req)) {
231+
res.status = 401;
232+
res.set_content("Unauthorized", "text/plain");
239233
return;
240234
}
241235

@@ -344,15 +338,16 @@ void HttpServerStart(DatabaseInstance& db, string_t host, int32_t port, string_t
344338
}
345339
}
346340

347-
// CORS Preflight
341+
// CORS Preflight - no authentication required for OPTIONS requests
348342
global_state.server->Options(base_path,
349343
[](const duckdb_httplib_openssl::Request& /*req*/, duckdb_httplib_openssl::Response& res) {
350344
res.set_header("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
351345
res.set_header("Content-Type", "text/html; charset=utf-8");
352-
res.set_header("Access-Control-Allow-Headers", "*");
346+
res.set_header("Access-Control-Allow-Headers", "Content-Type, X-API-Key, Authorization, X-ClickHouse-Format, format");
353347
res.set_header("Access-Control-Allow-Origin", "*");
354348
res.set_header("Access-Control-Allow-Credentials", "true");
355349
res.set_header("Connection", "close");
350+
res.status = 204; // No content for preflight
356351
return duckdb_httplib_openssl::Server::HandlerResponse::Handled;
357352
});
358353

@@ -363,9 +358,13 @@ void HttpServerStart(DatabaseInstance& db, string_t host, int32_t port, string_t
363358
global_state.server->Get(base_path, HandleHttpRequest);
364359
global_state.server->Post(base_path, HandleHttpRequest);
365360

366-
// Health check endpoint
367-
// Health check endpoint, now relative to base_path
361+
// Health check endpoint - no authentication required
368362
global_state.server->Get(base_path + "ping", [](const duckdb_httplib_openssl::Request& req, duckdb_httplib_openssl::Response& res) {
363+
// Set CORS headers for health check endpoint
364+
res.set_header("Access-Control-Allow-Origin", "*");
365+
res.set_header("Access-Control-Allow-Methods", "GET, OPTIONS");
366+
res.set_header("Access-Control-Allow-Headers", "Content-Type");
367+
res.set_header("Access-Control-Allow-Credentials", "true");
369368
res.set_content("OK", "text/plain");
370369
});
371370

0 commit comments

Comments
 (0)