Merge pull request #557 from CartoDB/cors-authorization-headers

adding Authorization to Access-Control-Allow-Headers

NEWS.md

@@ -11,6 +11,8 @@ Announcements:
  * Consider cancelled queries as platform limits.
  * Report fine-grained Garbage Collector stats
  * Both query endpoints as the same one in rate limits terms
+ * Adding Authorization to Access-Control-Allow-Headers (https://github.com/CartoDB/CartoDB-SQL-API/issues/534)
+
 
 ## 2.3.1
 Released 2018-12-23

app/middlewares/cors.js

@@ -2,7 +2,7 @@
 
 module.exports = function cors(extraHeaders) {
     return function(req, res, next) {
-        var baseHeaders = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token';
+        var baseHeaders = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization';
 
         if(extraHeaders) {
             baseHeaders += ', ' + extraHeaders;

test/acceptance/app-configuration.js

@@ -60,7 +60,8 @@ describe('app-configuration', function() {
             method: 'GET'
         }, RESPONSE_OK, function(err, res) {
             assert.equal(
-                res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token'
+                res.headers['access-control-allow-headers'],
+                'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization'
             );
             assert.equal(res.headers['access-control-allow-origin'], '*');
             done();
@@ -76,7 +77,8 @@ describe('app-configuration', function() {
         }, RESPONSE_OK, function(err, res) {
             assert.equal(res.body, '');
             assert.equal(
-                res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token'
+                res.headers['access-control-allow-headers'],
+                'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization'
             );
             assert.equal(res.headers['access-control-allow-origin'], '*');
             done();
@@ -158,7 +160,7 @@ describe('app-configuration', function() {
             assert.equal(res.headers['access-control-allow-origin'], '*');
             assert.equal(
                 res.headers['access-control-allow-headers'],
-                "X-Requested-With, X-Prototype-Version, X-CSRF-Token"
+                "X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization"
             );
             done();
         });