Allow credentials for cors requests
diff --git a/scripts/lua/cors.lua b/scripts/lua/cors.lua
index 6e5c6db..ea11579 100644
--- a/scripts/lua/cors.lua
+++ b/scripts/lua/cors.lua
@@ -19,13 +19,13 @@
-- Used to set cors headers for preflight and simple requests
local _M = {}
-local request = require "lib/request"
+local request = require 'lib/request'
function _M.processCall(resourceConfig)
if resourceConfig.cors ~= nil then
ngx.var.cors_origins = resourceConfig.cors.origin
ngx.var.cors_methods = resourceConfig.cors.methods
- if resourceConfig.cors.origin ~= 'false' and ngx.req.get_method() == "OPTIONS" then
+ if resourceConfig.cors.origin ~= 'false' and ngx.req.get_method() == 'OPTIONS' then
request.success(200)
end
end
@@ -33,23 +33,14 @@
function _M.replaceHeaders()
if ngx.var.cors_origins ~= nil then
- if ngx.var.cors_origins == 'true' then
- ngx.header['Access-Control-Allow-Headers'] = ngx.req.get_headers()['Access-Control-Request-Headers']
- ngx.header['Access-Control-Allow-Origin'] = '*'
- ngx.header['Access-Control-Allow-Methods'] = ngx.var.cors_methods
- if ngx.var.cors_methods == nil then
- ngx.header['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS'
- end
- elseif ngx.var.cors_origins == 'false' then
+ if ngx.var.cors_origins == 'false' then
ngx.header['Access-Control-Allow-Origin'] = nil
ngx.header['Access-Control-Allow-Methods'] = nil
else
- ngx.header['Access-Control-Allow-Origin'] = ngx.var.cors_origins
- ngx.header['Access-Control-Allow-Methods'] = ngx.var.cors_methods
+ ngx.header['Access-Control-Allow-Origin'] = ngx.var.cors_origins == 'true' and (ngx.var.http_origin or '*') or ngx.var.cors_origins
+ ngx.header['Access-Control-Allow-Methods'] = ngx.var.cors_methods or 'GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS'
ngx.header['Access-Control-Allow-Headers'] = ngx.req.get_headers()['Access-Control-Request-Headers']
- if ngx.var.cors_methods == nil then
- ngx.header['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS'
- end
+ ngx.header['Access-Control-Allow-Credentials'] = 'true'
end
end
end