diff --git a/app/controllers/iiif/auth/v2/probe_service_controller.rb b/app/controllers/iiif/auth/v2/probe_service_controller.rb index 77a8ebec..bee48898 100644 --- a/app/controllers/iiif/auth/v2/probe_service_controller.rb +++ b/app/controllers/iiif/auth/v2/probe_service_controller.rb @@ -15,18 +15,28 @@ def show file = StacksFile.new(id: parsed_uri[:druid], file_name: parsed_uri[:file_name], download: true) - response = { '@context': 'http://iiif.io/api/auth/2/context.json', type: 'AuthProbeResult2' } + json = { '@context': 'http://iiif.io/api/auth/2/context.json', type: 'AuthProbeResult2' } if !file.readable? - response[:status] = 404 + json[:status] = 404 elsif can? :access, file - response[:status] = 200 + json[:status] = 200 else - response[:status] = 401 - response.merge!(add_detail(file)) + json[:status] = 401 + json.merge!(add_detail(file)) end - render json: response + render json: + end + + # Because the probe request sets the Accept header, the browser is going to preflight the request. + # Here we tell the browser, yes, we're good with this. + def options_pre_flight + response.headers['Access-Control-Allow-Origin'] = '*' + response.headers['Access-Control-Allow-Methods'] = 'GET' + response.headers['Access-Control-Allow-Headers'] = 'Authorization' + response.headers['Access-Control-Max-Age'] = '1728000' + head :no_content end private diff --git a/config/routes.rb b/config/routes.rb index b9a9f947..ee163bac 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -84,4 +84,6 @@ # IIIF Auth V2 get '/iiif/auth/v2/token' => 'iiif/auth/v2/token#create' get '/iiif/auth/v2/probe' => 'iiif/auth/v2/probe_service#show' + options '/iiif/auth/v2/probe' => 'iiif/auth/v2/probe_service#options_pre_flight' + end diff --git a/spec/requests/iiif/auth/v2/probe_service_spec.rb b/spec/requests/iiif/auth/v2/probe_service_spec.rb index 2ad2dd18..891cb6f6 100644 --- a/spec/requests/iiif/auth/v2/probe_service_spec.rb +++ b/spec/requests/iiif/auth/v2/probe_service_spec.rb @@ -17,6 +17,17 @@ allow_any_instance_of(StacksFile).to receive(:readable?).and_return('420') end + describe 'pre-flight request' do + before do + options "/iiif/auth/v2/probe?id=#{stacks_uri_param}" + end + + it 'sets the headers' do + expect(response).to have_http_status :no_content + expect(response.headers['Access-Control-Allow-Origin']).to eq '*' + end + end + context 'when the URI is not properly encoded' do let(:file_name) { 'this has spaces.pdf' } let(:stacks_uri) { "https://stacks-uat.stanford.edu/file/druid:#{id}/#{file_name}" }