From de028920c8b867359c486c9d758235d2094a9f34 Mon Sep 17 00:00:00 2001
From: Willem Dantuma <willem.dantuma@dobs.nl>
Date: Mon, 10 Oct 2022 18:36:51 +0200
Subject: [PATCH] Make allowed cors headers configurable

---
 pkg/op/config.go                  |  2 ++
 pkg/op/mock/configuration.mock.go | 14 ++++++++++++++
 pkg/op/op.go                      | 10 ++++++----
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/pkg/op/config.go b/pkg/op/config.go
index 3045022..df609ba 100644
--- a/pkg/op/config.go
+++ b/pkg/op/config.go
@@ -38,6 +38,8 @@ type Configuration interface {
 	SupportedUILocales() []language.Tag
 
 	SupportedScopes() []string
+
+	AllowedCorsHeaders() []string
 }
 
 func ValidateIssuer(issuer string) error {
diff --git a/pkg/op/mock/configuration.mock.go b/pkg/op/mock/configuration.mock.go
index bdc4254..3d2083c 100644
--- a/pkg/op/mock/configuration.mock.go
+++ b/pkg/op/mock/configuration.mock.go
@@ -35,6 +35,20 @@ func (m *MockConfiguration) EXPECT() *MockConfigurationMockRecorder {
 	return m.recorder
 }
 
+// AllowedCorsHeaders mocks base method.
+func (m *MockConfiguration) AllowedCorsHeaders() []string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AllowedCorsHeaders")
+	ret0, _ := ret[0].([]string)
+	return ret0
+}
+
+// AllowedCorsHeaders indicates an expected call of AllowedCorsHeaders.
+func (mr *MockConfigurationMockRecorder) AllowedCorsHeaders() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AllowedCorsHeaders", reflect.TypeOf((*MockConfiguration)(nil).AllowedCorsHeaders))
+}
+
 // AuthMethodPostSupported mocks base method.
 func (m *MockConfiguration) AuthMethodPostSupported() bool {
 	m.ctrl.T.Helper()
diff --git a/pkg/op/op.go b/pkg/op/op.go
index bb981e7..c53f16e 100644
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@@ -65,7 +65,7 @@ func CreateRouter(o OpenIDProvider, interceptors ...HttpInterceptor) *mux.Router
 	router := mux.NewRouter()
 	router.Use(handlers.CORS(
 		handlers.AllowCredentials(),
-		handlers.AllowedHeaders([]string{"authorization", "content-type", "dpop"}),
+		handlers.AllowedHeaders(o.AllowedCorsHeaders()),
 		handlers.AllowedOriginValidator(allowAllOrigins),
 	))
 	router.HandleFunc(healthEndpoint, healthHandler)
@@ -104,6 +104,7 @@ type config struct {
 	RequestObjectSupported   bool
 	SupportedUILocales       []language.Tag
 	SupportedScopes          []string
+	AllowedCorsHeaders       []string
 }
 
 type endpoints struct {
@@ -120,7 +121,8 @@ type endpoints struct {
 func NewConfig() *config {
 	// config defaults
 	config := &config{
-		SupportedScopes: DefaultSupportedScopes,
+		SupportedScopes:    DefaultSupportedScopes,
+		AllowedCorsHeaders: []string{"authorization", "content-type"},
 	}
 	return config
 }
@@ -316,8 +318,8 @@ func (o *openidProvider) SupportedScopes() []string {
 	return o.config.SupportedScopes
 }
 
-func (o *openidProvider) SetScopesSupported(scopes []string) {
-	o.config.SupportedScopes = scopes
+func (o *openidProvider) AllowedCorsHeaders() []string {
+	return o.config.AllowedCorsHeaders
 }
 
 func (o *openidProvider) Storage() Storage {