From aa3bd24332c86b3c566bd9d67d7e90b5e62cbe0b Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Tue, 20 Feb 2024 18:24:57 +0200
Subject: [PATCH] add cors headers

---
 .../api/active_storage_blobs_proxy_controller.rb          | 2 ++
 app/controllers/api/api_base_controller.rb                | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/app/controllers/api/active_storage_blobs_proxy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_controller.rb
index d6c7953b..4f2968cc 100644
--- a/app/controllers/api/active_storage_blobs_proxy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb
@@ -7,6 +7,8 @@ module Api
     skip_before_action :authenticate_user!
     skip_authorization_check
 
+    before_action :set_cors_headers
+
     def show
       blob_uuid, = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])
 
diff --git a/app/controllers/api/api_base_controller.rb b/app/controllers/api/api_base_controller.rb
index 14f5b82b..b5375445 100644
--- a/app/controllers/api/api_base_controller.rb
+++ b/app/controllers/api/api_base_controller.rb
@@ -59,5 +59,13 @@ module Api
     def current_account
       current_user&.account
     end
+
+    def set_cors_headers
+      headers['Access-Control-Allow-Origin'] = '*'
+      headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, PATCH, DELETE, OPTIONS'
+      headers['Access-Control-Allow-Headers'] = '*'
+      headers['Access-Control-Max-Age'] = '1728000'
+      headers['Access-Control-Allow-Credentials'] = true
+    end
   end
 end