fix(api): CORS preflight requests should be a 204 response

internal/api/api.go

@@ -73,5 +73,5 @@ func NewHandler(store *storage.Storage, pool *worker.Pool) http.Handler {
 	mux.HandleFunc("GET /v1/api-keys", handler.getAPIKeysHandler)
 	mux.HandleFunc("DELETE /v1/api-keys/{apiKeyID}", handler.deleteAPIKeyHandler)
 
-	return middleware.handleCORS(middleware.apiKeyAuth(middleware.basicAuth(mux)))
+	return middleware.withCORSHeaders(middleware.validateAPIKeyAuth(middleware.validateBasicAuth(mux)))
 }

internal/api/api_test.go

@@ -21,8 +21,8 @@ func TestNewHandlerHandlesOptionsRequests(t *testing.T) {
 
 	handler.ServeHTTP(w, r)
 
-	if got := w.Code; got != http.StatusOK {
-		t.Fatalf(`Unexpected status code, got %d instead of %d`, got, http.StatusOK)
+	if got := w.Code; got != http.StatusNoContent {
+		t.Fatalf(`Unexpected status code, got %d instead of %d`, got, http.StatusNoContent)
 	}
 
 	if got := w.Header().Get("Access-Control-Allow-Origin"); got != "*" {
@@ -32,6 +32,14 @@ func TestNewHandlerHandlesOptionsRequests(t *testing.T) {
 	if got := w.Header().Get("Access-Control-Allow-Methods"); got != "GET, POST, PUT, DELETE, OPTIONS" {
 		t.Fatalf(`Unexpected Access-Control-Allow-Methods header, got %q`, got)
 	}
+
+	if got := w.Header().Get("Access-Control-Allow-Headers"); got != "X-Auth-Token, Authorization, Content-Type, Accept" {
+		t.Fatalf(`Unexpected Access-Control-Allow-Headers header, got %q`, got)
+	}
+
+	if got := w.Header().Get("Access-Control-Max-Age"); got != "3600" {
+		t.Fatalf(`Unexpected Access-Control-Max-Age header, got %q`, got)
+	}
 }
 
 func TestVersionHandler(t *testing.T) {
@@ -102,8 +110,8 @@ func TestNewHandlerSupportsBasePathStripping(t *testing.T) {
 
 			handler.ServeHTTP(w, r)
 
-			if got := w.Code; got != http.StatusOK {
-				t.Fatalf(`Unexpected status code, got %d instead of %d`, got, http.StatusOK)
+			if got := w.Code; got != http.StatusNoContent {
+				t.Fatalf(`Unexpected status code, got %d instead of %d`, got, http.StatusNoContent)
 			}
 		})
 	}

internal/api/middleware.go

@@ -20,21 +20,21 @@ type middleware struct {
 func newMiddleware(s *storage.Storage) *middleware {
 	return &middleware{s}
 }
-func (m *middleware) handleCORS(next http.Handler) http.Handler {
+func (m *middleware) withCORSHeaders(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
 		w.Header().Set("Access-Control-Allow-Headers", "X-Auth-Token, Authorization, Content-Type, Accept")
 		if r.Method == http.MethodOptions {
 			w.Header().Set("Access-Control-Max-Age", "3600")
-			w.WriteHeader(http.StatusOK)
+			response.NoContent(w, r)
 			return
 		}
 		next.ServeHTTP(w, r)
 	})
 }
 
-func (m *middleware) apiKeyAuth(next http.Handler) http.Handler {
+func (m *middleware) validateAPIKeyAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		clientIP := request.ClientIP(r)
 		token := r.Header.Get("X-Auth-Token")
@@ -87,7 +87,7 @@ func (m *middleware) apiKeyAuth(next http.Handler) http.Handler {
 	})
 }
 
-func (m *middleware) basicAuth(next http.Handler) http.Handler {
+func (m *middleware) validateBasicAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if request.IsAuthenticated(r) {
 			next.ServeHTTP(w, r)