Merge pull request #5 from TimPickin/patch-2

Avoid duplicate Access-Control-Allow-Origin headers

src/Our.Umbraco.AuthU/Web/Controllers/OAuthController.cs

@@ -5,6 +5,7 @@
 using System.Web.Http;
 using Our.Umbraco.AuthU.Extensions;
 using Our.Umbraco.AuthU.Models;
+using System.Linq;
 
 namespace Our.Umbraco.AuthU.Web.Controllers
 {
@@ -35,8 +36,8 @@ public object Token(OAuthTokenRequest request)
 
             ProcessClient(request);
 
-            HttpContext.Current.Response.Headers.Add("Access-Control-Allow-Origin", Client != null ? Client.AllowedOrigin : Context.Options.AllowedOrigin);
-
+	    	SetAllowedOriginHeader();
+            
             switch (request.grant_type)
             {
                 case "password":
@@ -76,6 +77,27 @@ protected void ProcessClient(OAuthTokenRequest request)
                 Client = client;
             }
         }
+
+		protected void SetAllowedOriginHeader()
+		{
+			string AccessControlAllowOriginHeaderKey = "Access-Control-Allow-Origin";
+			string allowedOrigin = Client != null ? Client.AllowedOrigin : Context.Options.AllowedOrigin;
+
+			if (HttpContext.Current.Response.Headers.AllKeys.Contains(AccessControlAllowOriginHeaderKey))
+			{
+				var accessControlHeader = HttpContext.Current.Response.Headers.GetValues(AccessControlAllowOriginHeaderKey).FirstOrDefault();
+
+				if (!accessControlHeader.Equals(allowedOrigin, StringComparison.OrdinalIgnoreCase))
+				{
+					string errorMessage = $"There is currently a header set with the key {AccessControlAllowOriginHeaderKey}, but the value: {accessControlHeader} differs from the OAuth configured value: {allowedOrigin}";
+					throw new OAuthResponseException(HttpStatusCode.InternalServerError, new { invalid_allowed_origin = errorMessage });
+				}
+			}
+			else
+			{
+				HttpContext.Current.Response.Headers.Add(AccessControlAllowOriginHeaderKey, allowedOrigin);
+			}
+		}
 
         protected object ProcessPasswordTokenRequest(OAuthTokenRequest request)
         {