From c3b9e292c25d0681f757ce7b84e673fa3c05920b Mon Sep 17 00:00:00 2001
From: Martin Fenner <martin.fenner@datacite.org>
Date: Mon, 19 Jul 2021 07:41:45 +0200
Subject: [PATCH] configure cors in nginx

---
 config/initializers/cors.rb | 30 +++++++++++++++---------------
 vendor/docker/webapp.conf   | 23 +++++++++++++++++++++++
 2 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index 91e689eb1..d56f84fe4 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -7,18 +7,18 @@
 
 # Read more: https://github.com/cyu/rack-cors
 
-Rails.application.config.middleware.insert_before 0,
-                                                  Rack::Cors,
-                                                  debug: true,
-                                                  logger:
-                                                    (-> { Rails.logger }) do
-  allow do
-    origins Rails.application.config.allowed_cors_origins.deep_dup
-    # origins "*"
-    resource "*",
-             headers: :any,
-             expose: %w[X-Credential-Username X-Anonymous-Consumer],
-             methods: %i[get post put patch delete options head],
-             credentials: true
-  end
-end
+# Rails.application.config.middleware.insert_before 0,
+#                                                   Rack::Cors,
+#                                                   debug: true,
+#                                                   logger:
+#                                                     (-> { Rails.logger }) do
+#   allow do
+#     origins Rails.application.config.allowed_cors_origins.deep_dup
+#     # origins "*"
+#     resource "*",
+#              headers: :any,
+#              expose: %w[X-Credential-Username X-Anonymous-Consumer],
+#              methods: %i[get post put patch delete options head],
+#              credentials: true
+#   end
+# end
diff --git a/vendor/docker/webapp.conf b/vendor/docker/webapp.conf
index 4cd293db0..2847387f3 100644
--- a/vendor/docker/webapp.conf
+++ b/vendor/docker/webapp.conf
@@ -15,6 +15,29 @@ server {
         return 301 https://support.datacite.org/docs/api;
     }
 
+    location / {
+        # enable CORS
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' $http_origin;
+            add_header 'Access-Control-Allow-Methods' 'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range,X-Credential-Username,X-Anonymous-Consumer,Authorization';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+
+        if ($request_method = 'POST') {
+            add_header 'Access-Control-Allow-Origin' $http_origin;
+            add_header 'Access-Control-Allow-Methods' 'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,Content-Type,Accept,Accept-Encoding,Origin,User-Agent,Cache-Control,Keep-Alive,Authorization';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range,X-Credential-Username,X-Anonymous-Consumer,Authorization';
+        }
+    }
+
     location /client-api/graphql {
         gzip            on;
         gzip_min_length 1000;