From 6a6c2bad731ab4b0e677d28460e4d2bec38142f4 Mon Sep 17 00:00:00 2001 From: Simon Felix Conrad Date: Sun, 9 Feb 2025 13:51:11 +0100 Subject: [PATCH 1/2] fix(cors): Expose rate-limit headers in API responses Added `Access-Control-Expose-Headers` to ensure that the rate-limiting headers (`X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset`) are accessible in browser-based applications. This resolves the issue where clients could not track rate limits due to CORS restrictions, improving API usability for web-based applications. Signed-off-by: Simon Felix Conrad --- apps/labrinth/src/util/ratelimit.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apps/labrinth/src/util/ratelimit.rs b/apps/labrinth/src/util/ratelimit.rs index aa3fd81ff..3479bf919 100644 --- a/apps/labrinth/src/util/ratelimit.rs +++ b/apps/labrinth/src/util/ratelimit.rs @@ -177,6 +177,14 @@ where "*".parse().unwrap(), ); + headers.insert( + actix_web::http::header::HeaderName::from_str( + "Access-Control-Expose-Headers", + ) + .unwrap(), + "X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset".parse().unwrap(), + ); + Box::pin(async { Ok(req.into_response(response.map_into_right_body())) }) From 075ab816e419af944daa6ab1320d4e1468b675bd Mon Sep 17 00:00:00 2001 From: Simon Felix Conrad Date: Fri, 14 Feb 2025 10:40:25 +0100 Subject: [PATCH 2/2] fix(cors): allow all http methods Signed-off-by: Simon Felix Conrad --- apps/labrinth/src/util/ratelimit.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apps/labrinth/src/util/ratelimit.rs b/apps/labrinth/src/util/ratelimit.rs index 3479bf919..abdf3132f 100644 --- a/apps/labrinth/src/util/ratelimit.rs +++ b/apps/labrinth/src/util/ratelimit.rs @@ -177,6 +177,14 @@ where "*".parse().unwrap(), ); + headers.insert( + actix_web::http::header::HeaderName::from_str( + "Access-Control-Allow-Methods", + ) + .unwrap(), + "*".parse().unwrap(), + ); + headers.insert( actix_web::http::header::HeaderName::from_str( "Access-Control-Expose-Headers",