return CORS to bad 403 response (#20720)

StekPerepolnen · web-flow · commit 5d7b5f5c68bc · 2025-07-07T20:21:53.000+02:00
diff --git a/ydb/mvp/oidc_proxy/extension_whoami.cpp b/ydb/mvp/oidc_proxy/extension_whoami.cpp
@@ -45,6 +45,9 @@ void TExtensionWhoami::PatchResponse(NJson::TJsonValue& json, NJson::TJsonValue&
     TString messageOverride;
     NJson::TJsonValue* outJson = nullptr;
 
+    SetCORS(Context->Params->Request, Context->Params->HeadersOverride.Get());
+    Context->Params->HeadersOverride->Set("Content-Type", "application/json; charset=utf-8");
+
     if (json.Has(USER_SID) && json.Has(ORIGINAL_USER_TOKEN)) {
         statusOverride = "200";
         messageOverride = "OK";
@@ -62,7 +65,7 @@ void TExtensionWhoami::PatchResponse(NJson::TJsonValue& json, NJson::TJsonValue&
         }
         outJson = &errorJson;
     }
-    Context->Params->HeadersOverride->Set("Content-Type", "application/json; charset=utf-8");
+
     TStringStream content;
     NJson::WriteJson(&content, outJson, {
         .FloatToStringMode = EFloatToStringMode::PREC_NDIGITS,
diff --git a/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp b/ydb/mvp/oidc_proxy/oidc_proxy_ut.cpp
@@ -1532,8 +1532,12 @@ Y_UNIT_TEST_SUITE(Mvp) {
         {
             TStringBuilder response;
             response << "HTTP/1.1 " << status << "\r\n"
-                    << "Connection: close\r\n"
-                    << "Content-Type: " << contentType << "\r\n";
+                     << "Connection: close\r\n"
+                     << "Content-Type: " << contentType << "\r\n"
+                     << "Access-Control-Allow-Origin: *\r\n"
+                     << "Access-Control-Allow-Credentials: true\r\n"
+                     << "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"
+                     << "Access-Control-Allow-Headers: Authorization, Content-Type\r\n";
             for (const auto& [key, value] : extraHeaders) {
                 response << key << ": " << value << "\r\n";
             }
@@ -1623,6 +1627,10 @@ Y_UNIT_TEST_SUITE(Mvp) {
         NJson::TJsonValue json;
         NHttp::THeaders headers(outgoing->Response->Headers);
 
+        UNIT_ASSERT(headers.Has("Access-Control-Allow-Credentials"));
+        UNIT_ASSERT(headers.Has("Access-Control-Allow-Headers"));
+        UNIT_ASSERT(headers.Has("Access-Control-Allow-Methods"));
+        UNIT_ASSERT(headers.Has("Access-Control-Allow-Origin"));
         if (!outgoing->Response->Status.StartsWith("3") && outgoing->Response->Status != "404") {
             UNIT_ASSERT(headers.Has("Content-Type"));
             UNIT_ASSERT_STRINGS_EQUAL(headers.Get("Content-Type").NextTok(';'), "application/json");
