fix: client specific CORS

oauth2/oauth2_auth_code_test.go

@@ -848,9 +848,6 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 						resp := makeRequest(req)
 						require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 					})
-					t.Logf("Got token: %s", token.AccessToken)
-
-					// time.Sleep(time.Millisecond * 1200) // Makes sure exp/iat/nbf time is different later on
 
 					res, err := testRefresh(t, token, ts.URL, tc.checkExpiry)
 					require.NoError(t, err)
@@ -862,8 +859,6 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 					var refreshedToken oauth2.Token
 					require.NoError(t, json.Unmarshal(body, &refreshedToken))
 
-					t.Logf("Got refresh token: %s", refreshedToken.AccessToken)
-
 					if tc.assertAccessToken != nil {
 						tc.assertAccessToken(t, refreshedToken.AccessToken)
 					}
@@ -988,7 +983,6 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 						require.NoError(t, json.Unmarshal(body, &refreshedToken))
 
 						refreshedAccessTokenClaims := testhelpers.IntrospectToken(t, oauthConfig, &refreshedToken, ts)
-
 						assert.Equal(t, origAccessTokenClaims, refreshedAccessTokenClaims)
 					})
 

x/oauth2cors/cors.go

@@ -92,6 +92,12 @@ func Middleware(
 				}
 			}
 
+			// pre-flight requests do not contain credentials (cookies, HTTP authorization)
+			// so we return true in all cases here.
+			if r.Method == http.MethodOptions {
+				return true
+			}
+
 			username, _, ok := r.BasicAuth()
 			if !ok || username == "" {
 				token := fosite.AccessTokenFromRequest(r)

x/oauth2cors/cors_test.go

@@ -53,6 +53,7 @@ func TestOAuth2AwareCORSMiddleware(t *testing.T) {
 		code         int
 		header       http.Header
 		expectHeader http.Header
+		method       string
 	}{
 		{
 			d:            "should ignore when disabled",
@@ -161,6 +162,17 @@ func TestOAuth2AwareCORSMiddleware(t *testing.T) {
 			header:       http.Header{"Origin": {"http://foobar.com"}, "Authorization": {fmt.Sprintf("Basic %s", x.BasicAuth("foo-7", "bar"))}},
 			expectHeader: http.Header{"Access-Control-Allow-Credentials": []string{"true"}, "Access-Control-Allow-Origin": []string{"http://foobar.com"}, "Access-Control-Expose-Headers": []string{"Content-Type"}, "Vary": []string{"Origin"}},
 		},
+		{
+			d: "should succeed on pre-flight request when token introspection fails",
+			prep: func(t *testing.T, r driver.Registry) {
+				r.Config().MustSet(context.Background(), "serve.public.cors.enabled", true)
+				r.Config().MustSet(context.Background(), "serve.public.cors.allowed_origins", []string{"http://not-test-domain.com"})
+			},
+			code:         http.StatusNotImplemented,
+			header:       http.Header{"Origin": {"http://foobar.com"}, "Authorization": {"Bearer 1234"}},
+			expectHeader: http.Header{"Access-Control-Allow-Credentials": []string{"true"}, "Access-Control-Allow-Origin": []string{"http://foobar.com"}, "Access-Control-Expose-Headers": []string{"Content-Type"}, "Vary": []string{"Origin"}},
+			method:       "OPTIONS",
+		},
 		{
 			d: "should fail when token introspection fails",
 			prep: func(t *testing.T, r driver.Registry) {
@@ -238,7 +250,11 @@ func TestOAuth2AwareCORSMiddleware(t *testing.T) {
 				tc.prep(t, r)
 			}
 
-			req, err := http.NewRequest("GET", "http://foobar.com/", nil)
+			method := "GET"
+			if tc.method != "" {
+				method = tc.method
+			}
+			req, err := http.NewRequest(method, "http://foobar.com/", nil)
 			require.NoError(t, err)
 			for k := range tc.header {
 				req.Header.Set(k, tc.header.Get(k))