make CORS preflight more explicit

2024-11-05 23:50:16 +01:00 · 2024-11-05 23:50:16 +01:00 · 29f6d82b19
commit 29f6d82b19
parent 58d0588fbd
1 changed files with 8 additions and 15 deletions
--- a/examples/server/server.cpp
+++ b/examples/server/server.cpp
@ -2281,16 +2281,6 @@ int main(int argc, char ** argv) {
    std::atomic<server_state> state{SERVER_STATE_LOADING_MODEL};

    svr->set_default_headers({{"Server", "llama.cpp"}});
-
-    // CORS preflight
-    svr->Options(R"(.*)", [](const httplib::Request &, httplib::Response & res) {
-        // Access-Control-Allow-Origin is already set by middleware
-        res.set_header("Access-Control-Allow-Credentials", "true");
-        res.set_header("Access-Control-Allow-Methods",     "POST");
-        res.set_header("Access-Control-Allow-Headers",     "*");
-        return res.set_content("", "text/html"); // blank response, no data
-    });
-
    svr->set_logger(log_server_request);

    auto res_error = [](httplib::Response & res, const json & error_data) {
@ -2356,11 +2346,6 @@ int main(int argc, char ** argv) {
            "/v1/models",
        };

-        // If this is OPTIONS request, skip validation because browsers don't include Authorization header
-        if (req.method == "OPTIONS") {
-            return true;
-        }
-
        // If API key is not set, skip validation
        if (params.api_keys.empty()) {
            return true;
@ -2408,6 +2393,14 @@ int main(int argc, char ** argv) {
    // register server middlewares
    svr->set_pre_routing_handler([&middleware_validate_api_key, &middleware_server_state](const httplib::Request & req, httplib::Response & res) {
        res.set_header("Access-Control-Allow-Origin", req.get_header_value("Origin"));
+        // If this is OPTIONS request, skip validation because browsers don't include Authorization header
+        if (req.method == "OPTIONS") {
+            res.set_header("Access-Control-Allow-Credentials", "true");
+            res.set_header("Access-Control-Allow-Methods",     "POST");
+            res.set_header("Access-Control-Allow-Headers",     "*");
+            res.set_content("", "text/html"); // blank response, no data
+            return httplib::Server::HandlerResponse::Handled; // skip further processing
+        }
        if (!middleware_server_state(req, res)) {
            return httplib::Server::HandlerResponse::Handled;
        }