From 29028d775a5ef713092e60b1f15bd9014d8a0dcf Mon Sep 17 00:00:00 2001
From: arenekosreal <17194552+arenekosreal@users.noreply.github.com>
Date: Fri, 20 Sep 2024 15:08:42 +0800
Subject: [PATCH] Make OPTIONS method on MSC3916 endpoints available without
 authentication.

OPTIONS method is usually sent by browser in preflight requests,
most of the time we cannot control preflight request to add auth header.

Synapse will return a 204 response directly without authentication for
those OPTIONS method.

According to firefox's documentation, both 200 and 204 are acceptable
so I think there is no need to change handler in dendrite.

This closes https://github.com/matrix-org/dendrite/issues/3424

No need to add a test because this is just a fix and I have tested on my
Cinny Web client personally.

Signed-off-by: arenekosreal <17194552+arenekosreal@users.noreply.github.com>
---
 internal/httputil/httpapi.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/httputil/httpapi.go b/internal/httputil/httpapi.go
index 0559fbb727..034f19f1fb 100644
--- a/internal/httputil/httpapi.go
+++ b/internal/httputil/httpapi.go
@@ -210,6 +210,12 @@ func MakeExternalAPI(metricsName string, f func(*http.Request) util.JSONResponse
 // This is used to serve HTML alongside JSON error messages
 func MakeHTTPAPI(metricsName string, userAPI userapi.QueryAcccessTokenAPI, enableMetrics bool, f func(http.ResponseWriter, *http.Request), checks ...AuthAPIOption) http.Handler {
 	withSpan := func(w http.ResponseWriter, req *http.Request) {
+		if req.Method == http.MethodOptions {
+			util.SetCORSHeaders(w)
+			w.WriteHeader(http.StatusOK) // Maybe http.StatusNoContent?
+			return
+		}
+
 		trace, ctx := internal.StartTask(req.Context(), metricsName)
 		defer trace.EndTask()
 		req = req.WithContext(ctx)