Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
19e54858
Commit
19e54858
authored
Jan 26, 2021
by
dcouture
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Allow CORS on /oauth/token
parent
eb380cd3
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
27 additions
and
0 deletions
+27
-0
changelogs/unreleased/pkce-cors.yml
changelogs/unreleased/pkce-cors.yml
+5
-0
config/application.rb
config/application.rb
+8
-0
spec/requests/oauth/tokens_controller_spec.rb
spec/requests/oauth/tokens_controller_spec.rb
+14
-0
No files found.
changelogs/unreleased/pkce-cors.yml
0 → 100644
View file @
19e54858
---
title
:
Allow cross-origin requests on /oauth/token
merge_request
:
52641
author
:
type
:
fixed
config/application.rb
View file @
19e54858
...
...
@@ -289,6 +289,14 @@ module Gitlab
methods: :any
,
expose:
headers_to_expose
end
# Cross-origin requests must be enabled for the Authorization code with PKCE OAuth flow when used from a browser.
allow
do
origins
'*'
resource
'/oauth/token'
,
credentials:
false
,
methods:
[
:post
]
end
end
# Use caching across all environments
...
...
spec/requests/oauth/tokens_controller_spec.rb
0 → 100644
View file @
19e54858
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
Oauth
::
TokensController
do
it
'allows cross-origin POST requests'
do
post
'/oauth/token'
,
headers:
{
'Origin'
=>
'http://notgitlab.com'
}
expect
(
response
.
headers
[
'Access-Control-Allow-Origin'
]).
to
eq
'*'
expect
(
response
.
headers
[
'Access-Control-Allow-Methods'
]).
to
eq
'POST'
expect
(
response
.
headers
[
'Access-Control-Allow-Headers'
]).
to
be_nil
expect
(
response
.
headers
[
'Access-Control-Allow-Credentials'
]).
to
be_nil
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment