From 550ab441c54155fbe7150b7c904525020f9d10a0 Mon Sep 17 00:00:00 2001
From: Nick Craig-Wood <nick@craig-wood.com>
Date: Mon, 10 Jun 2019 16:38:58 +0100
Subject: [PATCH] rc: Skip auth for OPTIONS request

Before this change using --user and --pass was impossible on the rc
from a browser as the browser needed to make the OPTIONS request first
before sending Authorization: headers, but the OPTIONS request
required an Authorization: header.

After this change we allow OPTIONS requests to go through without
checking the Authorization: header.
---
 cmd/serve/httplib/httplib.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/serve/httplib/httplib.go b/cmd/serve/httplib/httplib.go
index 2844b7c40..ccbf4647e 100644
--- a/cmd/serve/httplib/httplib.go
+++ b/cmd/serve/httplib/httplib.go
@@ -150,6 +150,11 @@ func NewServer(handler http.Handler, opt *Options) *Server {
 		authenticator := auth.NewBasicAuthenticator(s.Opt.Realm, secretProvider)
 		oldHandler := handler
 		handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// No auth wanted for OPTIONS method
+			if r.Method == "OPTIONS" {
+				oldHandler.ServeHTTP(w, r)
+				return
+			}
 			if username := authenticator.CheckAuth(r); username == "" {
 				authHeader := r.Header.Get(authenticator.Headers.V().Authorization)
 				if authHeader != "" {