fix(surveys): Allow CORS OPTIONS request to be unauthenticated. (#23282)

fix(surveys): Allow CORS OPTIONS request to be unauthenticated Co-authored-by: Phani Raj <[email protected]>
PostHog · Jun 28, 2024 · b7b50d2 · b7b50d2
1 parent eac199d
commit b7b50d2
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/posthog/api/survey.py b/posthog/api/survey.py
@@ -4,7 +4,7 @@
 
 import nh3
 from django.db.models import Min
-from django.http import JsonResponse
+from django.http import JsonResponse, HttpResponse
 from django.utils.text import slugify
 from django.views.decorators.csrf import csrf_exempt
 from nanoid import generate
@@ -467,6 +467,9 @@ class Meta:
 def surveys(request: Request):
     token = get_token(None, request)
 
+    if request.method == "OPTIONS":
+        return cors_response(request, HttpResponse(""))
+
     if not token:
         return cors_response(
             request,

diff --git a/posthog/api/test/test_survey.py b/posthog/api/test/test_survey.py
@@ -2015,6 +2015,16 @@ def _get_surveys(
             REMOTE_ADDR=ip,
         )
 
+    def test_options_unauthenticated(self):
+        unauthenticated_client = Client(enforce_csrf_checks=True)
+        unauthenticated_client.logout()
+        request_headers = {"HTTP_ACCESS_CONTROL_REQUEST_METHOD": "GET", "HTTP_ORIGIN": "*", "USER_AGENT": "Agent 008"}
+        response = unauthenticated_client.options(
+            "/api/surveys", data={}, follow=False, secure=False, headers={}, **request_headers
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.headers["Access-Control-Allow-Origin"], "*")
+
     @snapshot_postgres_queries
     def test_list_surveys(self):
         basic_survey = Survey.objects.create(