From 6b3f52fe5f7db5b3122cc8481ab8fed83e273fde Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 26 Aug 2019 04:33:06 -0700
Subject: [PATCH] Run CORS handler first for /api routes (#7967)

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 routers/api/v1/api.go    | 9 +--------
 routers/routes/routes.go | 8 +++++++-
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 69dfc89378..64c4b47a64 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -75,7 +75,6 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/user"
 
 	"gitea.com/macaron/binding"
-	"gitea.com/macaron/cors"
 	"gitea.com/macaron/macaron"
 )
 
@@ -502,12 +501,6 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Get("/swagger", misc.Swagger) //Render V1 by default
 	}
 
-	var handlers []macaron.Handler
-	if setting.EnableCORS {
-		handlers = append(handlers, cors.CORS(setting.CORSConfig))
-	}
-	handlers = append(handlers, securityHeaders(), context.APIContexter(), sudo())
-
 	m.Group("/v1", func() {
 		// Miscellaneous
 		if setting.API.EnableSwagger {
@@ -853,7 +846,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Group("/topics", func() {
 			m.Get("/search", repo.TopicSearch)
 		})
-	}, handlers...)
+	}, securityHeaders(), context.APIContexter(), sudo())
 }
 
 func securityHeaders() macaron.Handler {
diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index 5774c65eca..8c329a5f6f 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -41,6 +41,7 @@ import (
 	"gitea.com/macaron/binding"
 	"gitea.com/macaron/cache"
 	"gitea.com/macaron/captcha"
+	"gitea.com/macaron/cors"
 	"gitea.com/macaron/csrf"
 	"gitea.com/macaron/i18n"
 	"gitea.com/macaron/macaron"
@@ -951,9 +952,14 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Get("/swagger.v1.json", templates.JSONRenderer(), routers.SwaggerV1Json)
 	}
 
+	var handlers []macaron.Handler
+	if setting.EnableCORS {
+		handlers = append(handlers, cors.CORS(setting.CORSConfig))
+	}
+	handlers = append(handlers, ignSignIn)
 	m.Group("/api", func() {
 		apiv1.RegisterRoutes(m)
-	}, ignSignIn)
+	}, handlers...)
 
 	m.Group("/api/internal", func() {
 		// package name internal is ideal but Golang is not allowed, so we use private as package name.