From a9d5eb963124f9ac6db1ec07c70f15414814a3f1 Mon Sep 17 00:00:00 2001
From: oxalica <oxalicc@pm.me>
Date: Tue, 3 Sep 2024 02:00:55 -0400
Subject: [PATCH] Explicitly allow `Authorization` header for CORS

It would not be included when just allow `*`.
---
 blahd/src/main.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/blahd/src/main.rs b/blahd/src/main.rs
index c6659ac..363ac67 100644
--- a/blahd/src/main.rs
+++ b/blahd/src/main.rs
@@ -156,12 +156,15 @@ async fn main_async(st: AppState) -> Result<()> {
         .route("/room/:ruuid/item", get(room_get_item).post(room_post_item))
         .route("/room/:ruuid/admin", post(room_admin))
         .with_state(st.clone())
-        // NB. This comes at last (outmost layer), so inner errors will still be wrapped with
-        // correct CORS headers.
         .layer(tower_http::limit::RequestBodyLimitLayer::new(
             st.config.server.max_request_len,
         ))
-        .layer(tower_http::cors::CorsLayer::permissive());
+        // NB. This comes at last (outmost layer), so inner errors will still be wrapped with
+        // correct CORS headers. Also `Authorization` must be explicitly included besides `*`.
+        .layer(
+            tower_http::cors::CorsLayer::permissive()
+                .allow_headers([header::HeaderName::from_static("*"), header::AUTHORIZATION]),
+        );
 
     let listener = tokio::net::TcpListener::bind(&st.config.server.listen)
         .await