From a7970ec35a1fc3cd9cc415dabb3d87f94780aed7 Mon Sep 17 00:00:00 2001
From: Luca <luca@teapot.ovh>
Date: Wed, 13 Dec 2023 10:41:22 +0100
Subject: [PATCH] don't use wildcard for CORS allow headers

---
 server/src/api/mod.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/api/mod.rs b/server/src/api/mod.rs
index 174c474..0102034 100644
--- a/server/src/api/mod.rs
+++ b/server/src/api/mod.rs
@@ -6,7 +6,7 @@ mod internal;
 pub mod jsonapi;
 mod tempo;
 
-use axum::Router;
+use axum::{Router, http::header::{ACCEPT, AUTHORIZATION}};
 use base::database::get_database;
 pub use error::Error;
 use eyre::Result;
@@ -23,7 +23,7 @@ pub fn router() -> Result<Router> {
     let cors = CorsLayer::new()
         .allow_methods(Any)
         .allow_origin(Any)
-        .allow_headers(Any);
+        .allow_headers([AUTHORIZATION, ACCEPT]);
     let tracing = TraceLayer::new_for_http();
     let conn = get_database()?.clone();
     Ok(Router::new()