diff options
Diffstat (limited to 'app/controllers/jira_connect/application_controller.rb')
-rw-r--r-- | app/controllers/jira_connect/application_controller.rb | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/app/controllers/jira_connect/application_controller.rb b/app/controllers/jira_connect/application_controller.rb index e26d69314cd..b9f0ea795e1 100644 --- a/app/controllers/jira_connect/application_controller.rb +++ b/app/controllers/jira_connect/application_controller.rb @@ -3,6 +3,11 @@ class JiraConnect::ApplicationController < ApplicationController include Gitlab::Utils::StrongMemoize + CORS_ALLOWED_METHODS = { + '/-/jira_connect/oauth_application_id' => %i[GET OPTIONS], + '/-/jira_connect/subscriptions/*' => %i[DELETE OPTIONS] + }.freeze + skip_before_action :authenticate_user! skip_before_action :verify_authenticity_token before_action :verify_atlassian_jwt! @@ -60,4 +65,25 @@ class JiraConnect::ApplicationController < ApplicationController def auth_token params[:jwt] || request.headers['Authorization']&.split(' ', 2)&.last end + + def cors_allowed_methods + CORS_ALLOWED_METHODS[resource] + end + + def resource + request.path.gsub(%r{/\d+$}, '/*') + end + + def set_cors_headers + return unless allow_cors_request? + + response.set_header('Access-Control-Allow-Origin', Gitlab::CurrentSettings.jira_connect_proxy_url) + response.set_header('Access-Control-Allow-Methods', cors_allowed_methods.join(', ')) + end + + def allow_cors_request? + return false if cors_allowed_methods.nil? + + !Gitlab.com? && Gitlab::CurrentSettings.jira_connect_proxy_url.present? + end end |