🐛 re-order api middlewares: cors middleware before connect-slashes (#…

…7861) closes #7839 - when a browser sends a request to the API without a trailing slash, we are using connect-slashes to redirect permanently - but because the CORS middleware was registered after the redirect, the CORS headers got lost
TryGhost · Jan 18, 2017 · 4a4b2f6 · 4a4b2f6
1 parent 2f3081f
commit 4a4b2f6
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/core/server/api/app.js b/core/server/api/app.js
@@ -35,17 +35,13 @@ var debug = require('debug')('ghost:api'),
     authenticatePublic = [
         auth.authenticate.authenticateClient,
         auth.authenticate.authenticateUser,
-        auth.authorize.requiresAuthorizedUserPublicAPI,
-        // @TODO do we really need this multiple times or should it be global?
-        cors
+        auth.authorize.requiresAuthorizedUserPublicAPI
     ],
     // Require user for private endpoints
     authenticatePrivate = [
         auth.authenticate.authenticateClient,
         auth.authenticate.authenticateUser,
-        auth.authorize.requiresAuthorizedUser,
-        // @TODO do we really need this multiple times or should it be global?
-        cors
+        auth.authorize.requiresAuthorizedUser
     ];
 
 // @TODO refactor/clean this up - how do we want the routing to work long term?
@@ -226,6 +222,8 @@ module.exports = function setupApiApp() {
     apiApp.use(bodyParser.json({limit: '1mb'}));
     apiApp.use(bodyParser.urlencoded({extended: true, limit: '1mb'}));
 
+    apiApp.use(cors);
+
     // send 503 json response in case of maintenance
     apiApp.use(maintenance);