CORS and API key

[Cyberax]

CORS needs to be allow-listed for unauthenticated requests (without the API key) otherwise browsers can't use it.

This can be simply done by moving the https://github.com/mudler/LocalAI/blob/07655c0c2e0e5fe2bca86339a12237b69d258636/core/http/app.go#L138C5-L138C16 block before the authorization middleware, or by adding an exception for the OPTIONS HTTP method in

LocalAI/core/http/middleware/auth.go

Line 83 in 07655c0

func getApiKeyRequiredFilterFunction(applicationConfig *config.ApplicationConfig) func(*fiber.Ctx) bool {

[katerasrael]

This seems to be related to a problem I have, when I try to connect the Thunderbird-Addon ThunderAI to LocalAI.

The Addon tries to get the models from the LocalAI-instance and in the container-logs I can see the following line:
WRN Client error ip=192.168.0.xxx latency=1.571684ms method=OPTIONS status=404 url=/models

See also the issue I opened there micz/ThunderAI#242

[edit: fixed the link]