From 5ccd74dc3cb165faba463c50fa55e8133cdfd273 Mon Sep 17 00:00:00 2001
From: Frank Schubert <fronk@fronk.at>
Date: Thu, 1 Dec 2022 16:46:14 +0100
Subject: [PATCH] returning CORS Allow-Origin when returning Unauthorized

---
 lib/mvcfronk/mfBase/mfBaseApicontroller.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/mvcfronk/mfBase/mfBaseApicontroller.php b/lib/mvcfronk/mfBase/mfBaseApicontroller.php
index a8c82750b..fa27ee762 100644
--- a/lib/mvcfronk/mfBase/mfBaseApicontroller.php
+++ b/lib/mvcfronk/mfBase/mfBaseApicontroller.php
@@ -123,6 +123,14 @@ class mfBaseApicontroller {
     $me->loadByApikey($key);
     
     if(!$me->id) {
+      header("Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS");
+      header("Access-Control-Allow-Headers: X-Api-Key");
+      
+      if(preg_match('#^(https?)://([^/:]+)(:\d+)?/?$#i', $this->headers['origin'], $m)) {
+        $origin_proto = $m[1];
+        $origin_hostname = $m[2];
+        header("Access-Control-Allow-Origin: ".$origin_proto."://".$origin_hostname);
+      }
       $this->return(mfResponse::Unauthorized(['message' => "API key missing or invalid"]));
     }
     $_SESSION[MFAPPNAME.'_username'] = $me->username;