separate cors middleware

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/brands/middleware.py

@@ -24,13 +24,32 @@ class BrandMiddleware:
             locale = brand.default_locale
             if locale != "":
                 activate(locale)
-        response = self.get_response(request)
+        return self.get_response(request)
+
+
+class BrandCORSAPIMiddleware:
+    """CORS for API requests depending on Brand"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def set_headers(self, request: HttpRequest, response: HttpResponse):
         response["Access-Control-Allow-Origin"] = "http://localhost:8080"
         response["Access-Control-Allow-Credentials"] = "true"
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
         if request.method == "OPTIONS":
-            response.status_code = 200
+            response = HttpResponse(
+                status=200,
+            )
+            self.set_headers(request, response)
             response["Access-Control-Allow-Headers"] = (
                 "authorization,sentry-trace,x-authentik-csrf,content-type"
             )
             response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
+            return response
+        response = self.get_response(request)
+        self.set_headers(request, response)
         return response

authentik/root/settings.py

@@ -248,6 +248,7 @@ MIDDLEWARE = [
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "authentik.core.middleware.RequestIDMiddleware",
     "authentik.brands.middleware.BrandMiddleware",
+    "authentik.brands.middleware.BrandCORSAPIMiddleware",
     "authentik.events.middleware.AuditMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.middleware.common.CommonMiddleware",