From eff1ca78e9b3ae571e76ecc76aab39d3c6f654bd Mon Sep 17 00:00:00 2001
From: Yousa <snowfly1993@gmail.com>
Date: Tue, 24 Dec 2019 14:44:42 +0800
Subject: [PATCH] feature: added support CORS for /apisix/admin. (#982)

---
 bin/apisix       |  3 ++-
 conf/config.yaml |  1 +
 lua/apisix.lua   | 26 ++++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/bin/apisix b/bin/apisix
index b98165d8..06da445d 100755
--- a/bin/apisix
+++ b/bin/apisix
@@ -222,13 +222,14 @@ http {
     server {
         listen {* port_admin *};
 
-        location /apisix/admin/ {
+        location /apisix/admin {
             {%if allow_admin then%}
                 {% for _, allow_ip in ipairs(allow_admin) do %}
                 allow {*allow_ip*};
                 {% end %}
                 deny all;
             {%end%}
+
             content_by_lua_block {
                 apisix.http_admin()
             }
diff --git a/conf/config.yaml b/conf/config.yaml
index e344931f..a7438965 100644
--- a/conf/config.yaml
+++ b/conf/config.yaml
@@ -18,6 +18,7 @@ apisix:
   node_listen: 9080              # APISIX listening port
   enable_heartbeat: true
   enable_admin: true
+  enable_admin_cors: true         # Admin API support CORS response headers.
   enable_debug: false
   enable_dev_mode: false          # Sets nginx worker_processes to 1 if set to true
   enable_ipv6: true
diff --git a/lua/apisix.lua b/lua/apisix.lua
index 3e3d5fce..741862c8 100644
--- a/lua/apisix.lua
+++ b/lua/apisix.lua
@@ -446,6 +446,29 @@ function _M.http_balancer_phase()
     load_balancer(api_ctx.matched_route, api_ctx)
 end
 
+local function cors_admin()
+    local local_conf = core.config.local_conf()
+    if local_conf.apisix and not local_conf.apisix.enable_admin_cors then
+        return
+    end
+
+    local method = get_method()
+    if method == "OPTIONS" then
+        core.response.set_header("Access-Control-Allow-Origin", "*",
+                                "Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE, PATCH",
+                                "Access-Control-Max-Age", "3600",
+                                "Access-Control-Allow-Headers", "*",
+                                "Access-Control-Allow-Credentials", "true",
+                                "Content-Length", "0",
+                                "Content-Type", "text/plain")
+        ngx_exit(200)
+    end
+
+    core.response.set_header("Access-Control-Allow-Origin", "*",
+                            "Access-Control-Allow-Credentials", "true",
+                            "Access-Control-Expose-Headers", "*",
+                            "Access-Control-Max-Age", "3600")
+end
 
 do
     local router
@@ -455,6 +478,9 @@ function _M.http_admin()
         router = admin_init.get()
     end
 
+    -- add cors rsp header
+    cors_admin()
+
     -- core.log.info("uri: ", get_var("uri"), " method: ", get_method())
     local ok = router:dispatch(get_var("uri"), {method = get_method()})
     if not ok then