From 33f7c8f911fa798c2c8586bb52c67944f410c306 Mon Sep 17 00:00:00 2001
From: Paul Schwandes <paul@schwandes.de>
Date: Mon, 23 Mar 2026 21:29:56 +0100
Subject: [PATCH] fix(auth): bypass authentication for CORS preflight requests

- Allow OPTIONS requests to skip authentication, as browsers are
  forbidden from sending credentials during a preflight handshake.
- Move ResponseHeadersFilter before BasicAuthFilter to ensure
  CORS headers are attached to the response even if authentication
  fails.

This ensures that browser-based clients can successfully
authenticate with the server without being blocked by CORS
preflight failures.

Fixes #357
---
 cpp/server/basic_auth_filter.cpp | 3 +++
 cpp/server/server_host.cpp       | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/cpp/server/basic_auth_filter.cpp b/cpp/server/basic_auth_filter.cpp
index aa8c270e..27098e1d 100644
--- a/cpp/server/basic_auth_filter.cpp
+++ b/cpp/server/basic_auth_filter.cpp
@@ -27,6 +27,9 @@ BasicAuthFilter::~BasicAuthFilter() = default;
 
 void BasicAuthFilter::beginRequest(Request* request)
 {
+    if (request->method == HttpMethod::OPTIONS)
+        return;
+
     if (verifyCredentials(request))
         return;
 
diff --git a/cpp/server/server_host.cpp b/cpp/server/server_host.cpp
index f715281b..a868fae4 100644
--- a/cpp/server/server_host.cpp
+++ b/cpp/server/server_host.cpp
@@ -42,14 +42,14 @@ void ServerHost::reconfigure(SettingsDataPtr settings)
     auto router = &config->router;
     auto filters = &config->filters;
 
+    if (!settings->responseHeaders.empty())
+        filters->add(std::make_unique<ResponseHeadersFilter>(settings));
+
     if (settings->authRequired)
         filters->add(std::make_unique<BasicAuthFilter>(settings));
 
     filters->add(std::make_unique<CompressionFilter>());
 
-    if (!settings->responseHeaders.empty())
-        filters->add(std::make_unique<ResponseHeadersFilter>(settings));
-
     filters->add(std::make_unique<CacheSupportFilter>());
     filters->add(std::make_unique<ExecuteHandlerFilter>());
 
