Allowing 3rd party UIs to access x-total-count http header (#1470)

* Adding 'x-content-duratin' and 'x-total-count' to CORS exposed headers * Moving cors setup to middlewares.go * adding x-nd-authorization to exposed headers
2025-04-13 10:47:19 +03:00 · 2021-11-19 08:07:54 -07:00 · 2021-11-19 08:07:54 -07:00 · 6d947f6f7e
commit 6d947f6f7e
parent 8c7d95c135
2 changed files with 20 additions and 2 deletions
--- a/server/middlewares.go
+++ b/server/middlewares.go
@ -7,6 +7,8 @@ import (
 	"strings"
 	"time"

+	"github.com/go-chi/cors"
+
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/navidrome/navidrome/consts"
 	"github.com/navidrome/navidrome/log"
@ -71,6 +73,23 @@ func robotsTXT(fs fs.FS) func(next http.Handler) http.Handler {
 	}
 }

+func corsHandler() func(h http.Handler) http.Handler {
+	return cors.Handler(cors.Options{
+		AllowedOrigins: []string{"*"},
+		AllowedMethods: []string{
+			http.MethodHead,
+			http.MethodGet,
+			http.MethodPost,
+			http.MethodPut,
+			http.MethodPatch,
+			http.MethodDelete,
+		},
+		AllowedHeaders:   []string{"*"},
+		AllowCredentials: false,
+		ExposedHeaders:   []string{"x-content-duration", "x-total-count", "x-nd-authorization"},
+	})
+}
+
 func secureMiddleware() func(h http.Handler) http.Handler {
 	sec := secure.New(secure.Options{
 		ContentTypeNosniff: true,
--- a/server/server.go
+++ b/server/server.go
@ -8,7 +8,6 @@ import (

 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
-	"github.com/go-chi/cors"
 	"github.com/go-chi/httprate"
 	"github.com/navidrome/navidrome/conf"
 	"github.com/navidrome/navidrome/consts"
@ -57,7 +56,7 @@ func (s *Server) initRoutes() {
 	r := chi.NewRouter()

 	r.Use(secureMiddleware())
-	r.Use(cors.AllowAll().Handler)
+	r.Use(corsHandler())
 	r.Use(middleware.RequestID)
 	if conf.Server.ReverseProxyWhitelist == "" {
 		r.Use(middleware.RealIP)