Skip to content

Don't require signin for OPTIONS requests #33759

New issue
New issue
Open
Open
Don't require signin for OPTIONS requests#33759
Labels
type/bug
@mattfysh

Description

@mattfysh
mattfysh
opened on Mar 1, 2025

Description

Hi there, I'm running git-wasm in a web app which is why I need to get the CORS settings right. In my helm chart settings I have:

repository:
  ACCESS_CONTROL_ALLOW_ORIGIN: http://web.app.url
service:
  REQUIRE_SIGNIN_VIEW: true

The issue is that any incoming OPTIONS requests sent by the browser during preflight are being denied by this piece of logic:

gitea/routers/web/githttp.go

Lines 15 to 20 in 698ae7a

func addOwnerRepoGitHTTPRouters(m *web.Router) {
reqGitSignIn := func(ctx *context.Context) {
if !setting.Service.RequireSignInView {
return
}
// rely on the results of Contexter

Browser typically will not send authorization headers with a preflight OPTIONS request, and they will not process any returned 'www-authenticate' header instructions, so this prevents any git-over-http requests from succeeding in the browser

The only workaround currently is to set REQUIRE_SIGNIN_VIEW to false

Gitea Version

1.24.0+dev-342-gead716d204

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Via the helm chart provided here https://gitea.com/gitea/helm-chart

Database

None

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions