From f6ee916d7b675b922f67ceb7351e6ebd48fe62ee Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Wed, 13 Jul 2016 18:37:14 -0400
Subject: [PATCH] Things to get around CORS pre-flight request. Allow Jwt token
 to be passed via "access_token" query stirng param. Allow JSON body content
 to be parsed as "text/plain" content type.

---
 src/Api/Startup.cs                                 |  9 ++++++++-
 src/Core/Identity/JwtBearerAppBuilderExtensions.cs |  3 ++-
 src/Core/Identity/JwtBearerEventImplementations.cs | 10 ++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index 31522b4c83..128b8deeae 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -22,6 +22,9 @@ using StackExchange.Redis.Extensions.Core;
 using StackExchange.Redis.Extensions.Newtonsoft;
 using Loggr.Extensions.Logging;
 using Newtonsoft.Json;
+using System.Linq;
+using Microsoft.AspNetCore.Mvc.Formatters;
+using Microsoft.Net.Http.Headers;
 
 namespace Bit.Api
 {
@@ -136,7 +139,8 @@ namespace Bit.Api
             // Cors
             services.AddCors(config =>
             {
-                config.AddPolicy("All", policy => policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin());
+                config.AddPolicy("All", policy =>
+                    policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().SetPreflightMaxAge(TimeSpan.FromDays(1)));
             });
 
             // MVC
@@ -144,6 +148,9 @@ namespace Bit.Api
             {
                 config.Filters.Add(new ExceptionHandlerFilterAttribute());
                 config.Filters.Add(new ModelStateValidationFilterAttribute());
+                // Allow JSON of content type "text/plain" to avoid cors preflight
+                config.InputFormatters.OfType<JsonInputFormatter>().SingleOrDefault()?
+                    .SupportedMediaTypes.Add(MediaTypeHeaderValue.Parse("text/plain"));
             });
         }
 
diff --git a/src/Core/Identity/JwtBearerAppBuilderExtensions.cs b/src/Core/Identity/JwtBearerAppBuilderExtensions.cs
index 21d5ff7a8e..8f8b8e3ea0 100644
--- a/src/Core/Identity/JwtBearerAppBuilderExtensions.cs
+++ b/src/Core/Identity/JwtBearerAppBuilderExtensions.cs
@@ -49,7 +49,8 @@ namespace Bit.Core.Identity
             options.Events = new JwtBearerEvents
             {
                 OnTokenValidated = JwtBearerEventImplementations.ValidatedTokenAsync,
-                OnAuthenticationFailed = JwtBearerEventImplementations.AuthenticationFailedAsync
+                OnAuthenticationFailed = JwtBearerEventImplementations.AuthenticationFailedAsync,
+                OnMessageReceived = JwtBearerEventImplementations.MessageReceivedAsync
             };
 
             app.UseJwtBearerAuthentication(options);
diff --git a/src/Core/Identity/JwtBearerEventImplementations.cs b/src/Core/Identity/JwtBearerEventImplementations.cs
index 0045c6ed5f..54ba96c6df 100644
--- a/src/Core/Identity/JwtBearerEventImplementations.cs
+++ b/src/Core/Identity/JwtBearerEventImplementations.cs
@@ -49,5 +49,15 @@ namespace Bit.Core.Identity
 
             return Task.FromResult(0);
         }
+
+        public static Task MessageReceivedAsync(MessageReceivedContext context)
+        {
+            if(!context.Request.Headers.ContainsKey("Authorization"))
+            {
+                context.Token = context.Request.Query["access_token"];
+            }
+
+            return Task.FromResult(0);
+        }
     }
 }