From 8c7c7c3fee73e1b6b14f2841602e10bf764c6976 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Tue, 3 Sep 2024 19:02:46 +0200
Subject: [PATCH] separate cors middleware

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/brands/middleware.py | 23 +++++++++++++++++++++--
 authentik/root/settings.py     |  1 +
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/authentik/brands/middleware.py b/authentik/brands/middleware.py
index 6e0ace053f..81b4ff63fe 100644
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@@ -24,13 +24,32 @@ class BrandMiddleware:
             locale = brand.default_locale
             if locale != "":
                 activate(locale)
-        response = self.get_response(request)
+        return self.get_response(request)
+
+
+class BrandCORSAPIMiddleware:
+    """CORS for API requests depending on Brand"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def set_headers(self, request: HttpRequest, response: HttpResponse):
         response["Access-Control-Allow-Origin"] = "http://localhost:8080"
         response["Access-Control-Allow-Credentials"] = "true"
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
         if request.method == "OPTIONS":
-            response.status_code = 200
+            response = HttpResponse(
+                status=200,
+            )
+            self.set_headers(request, response)
             response["Access-Control-Allow-Headers"] = (
                 "authorization,sentry-trace,x-authentik-csrf,content-type"
             )
             response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
+            return response
+        response = self.get_response(request)
+        self.set_headers(request, response)
         return response
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index 8b3c7666b3..0363ea2e56 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -248,6 +248,7 @@ MIDDLEWARE = [
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "authentik.core.middleware.RequestIDMiddleware",
     "authentik.brands.middleware.BrandMiddleware",
+    "authentik.brands.middleware.BrandCORSAPIMiddleware",
     "authentik.events.middleware.AuditMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.middleware.common.CommonMiddleware",