Skip to content

fix(cors): Allow Bearer token authentication for CORS requests #55878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cbcoutinho wants to merge 9 commits into
base: master
Choose a base branch
from
Open

fix(cors): Allow Bearer token authentication for CORS requests #55878

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
8fb5e77
fix(cors): Allow Bearer token authentication for CORS requests
cbcoutinho Oct 21, 2025
84675f7
Merge remote-tracking branch 'upstream/master' into fix/cors-bearer-t…
cbcoutinho Oct 29, 2025
dd8a462
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Oct 30, 2025
73b7e58
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Nov 3, 2025
643acb4
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Nov 3, 2025
e622e68
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Nov 5, 2025
74e6607
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Nov 14, 2025
034d436
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Dec 16, 2025
af0c0f2
Merge branch 'master' into fix/cors-bearer-token-support
cbcoutinho Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,13 @@ public function beforeController($controller, $methodName) {
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;

// Allow Bearer token authentication for CORS requests
// Bearer tokens are stateless and don't require CSRF protection
$authorizationHeader = $this->request->getHeader('Authorization');
if (!empty($authorizationHeader) && str_starts_with($authorizationHeader, 'Bearer ')) {
return;
}

// Allow to use the current session if a CSRF token is provided
if ($this->request->passesCSRFCheck()) {
return;
Expand Down
33 changes: 33 additions & 0 deletions tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,4 +341,37 @@ public function testAfterExceptionWithRegularException(): void {
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$middleware->afterException($this->controller, __FUNCTION__, new \Exception('A regular exception'));
}

public static function dataCORSShouldAllowBearerAuth(): array {
return [
['testCORSShouldNeverAllowCookieAuth'],
['testCORSShouldNeverAllowCookieAuthAttribute'],
['testCORSAttributeShouldNeverAllowCookieAuth'],
['testCORSAttributeShouldNeverAllowCookieAuthAttribute'],
];
}

#[\PHPUnit\Framework\Attributes\DataProvider('dataCORSShouldAllowBearerAuth')]
public function testCORSShouldAllowBearerAuth(string $method): void {
$request = new Request(
[
'server' => [
'HTTP_AUTHORIZATION' => 'Bearer test-token-123'
]
],
$this->createMock(IRequestId::class),
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$this->session->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
$this->session->expects($this->never())
->method('logout');
$this->session->expects($this->never())
->method('logClientIn');

$middleware->beforeController($this->controller, $method);
}
}