Fix authorization header in cors (#21662)

* Fix authorization headers in cors * Use aiohttp authorization header instead of custom const
home-assistant · Mar 9, 2019 · 4d9cf15 · 4d9cf15
1 parent fc81826
commit 4d9cf15
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/homeassistant/components/http/cors.py b/homeassistant/components/http/cors.py
@@ -1,13 +1,13 @@
 """Provide CORS support for the HTTP component."""
-from aiohttp.hdrs import ACCEPT, CONTENT_TYPE, ORIGIN
+from aiohttp.hdrs import ACCEPT, CONTENT_TYPE, ORIGIN, AUTHORIZATION
 
 from homeassistant.const import (
     HTTP_HEADER_HA_AUTH, HTTP_HEADER_X_REQUESTED_WITH)
 from homeassistant.core import callback
 
 ALLOWED_CORS_HEADERS = [
     ORIGIN, ACCEPT, HTTP_HEADER_X_REQUESTED_WITH, CONTENT_TYPE,
-    HTTP_HEADER_HA_AUTH]
+    HTTP_HEADER_HA_AUTH, AUTHORIZATION]
 
 
 @callback

diff --git a/tests/components/http/test_cors.py b/tests/components/http/test_cors.py
@@ -7,11 +7,14 @@
     ACCESS_CONTROL_ALLOW_HEADERS,
     ACCESS_CONTROL_REQUEST_HEADERS,
     ACCESS_CONTROL_REQUEST_METHOD,
+    AUTHORIZATION,
     ORIGIN
 )
 import pytest
 
-from homeassistant.const import HTTP_HEADER_HA_AUTH
+from homeassistant.const import (
+    HTTP_HEADER_HA_AUTH
+)
 from homeassistant.setup import async_setup_component
 from homeassistant.components.http.cors import setup_cors
 from homeassistant.components.http.view import HomeAssistantView
@@ -84,6 +87,15 @@ async def test_cors_requests(client):
     assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \
         TRUSTED_ORIGIN
 
+    # With auth token in headers
+    req = await client.get('/', headers={
+        AUTHORIZATION: 'Bearer some-token',
+        ORIGIN: TRUSTED_ORIGIN
+    })
+    assert req.status == 200
+    assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \
+        TRUSTED_ORIGIN
+
 
 async def test_cors_preflight_allowed(client):
     """Test cross origin resource sharing preflight (OPTIONS) request."""