http: fix webdav OPTIONS response (#6433)

lib/http/middleware.go

@@ -62,6 +62,11 @@ func basicAuth(authenticator *LoggedBasicAuth) func(next http.Handler) http.Hand
 				next.ServeHTTP(w, r)
 				return
 			}
+			// skip auth for CORS preflight
+			if r.Method == "OPTIONS" {
+				next.ServeHTTP(w, r)
+				return
+			}
 
 			username := authenticator.CheckAuth(r)
 			if username == "" {
@@ -123,6 +128,11 @@ func MiddlewareAuthCustom(fn CustomAuthFn, realm string, userFromContext bool) M
 				next.ServeHTTP(w, r)
 				return
 			}
+			// skip auth for CORS preflight
+			if r.Method == "OPTIONS" {
+				next.ServeHTTP(w, r)
+				return
+			}
 
 			user, pass, ok := parseAuthorization(r)
 			if !ok && userFromContext {
@@ -177,13 +187,6 @@ func MiddlewareCORS(allowOrigin string) Middleware {
 				w.Header().Add("Access-Control-Allow-Headers", "authorization, Content-Type")
 			}
 
-			if r.Method == "OPTIONS" {
-				w.WriteHeader(http.StatusOK)
-				return
-				// Because CORS preflight OPTIONS requests are not authenticated,
-				// and require a 200 OK response, we will return early here.
-			}
-
 			next.ServeHTTP(w, r)
 		})
 	}

lib/http/middleware_test.go

@@ -459,8 +459,7 @@ func TestMiddlewareCORSWithAuth(t *testing.T) {
 				require.NoError(t, s.Shutdown())
 			}()
 
-			expected := []byte("data")
-			s.Router().Mount("/", testEchoHandler(expected))
+			s.Router().Mount("/", testEmptyHandler())
 			s.Serve()
 
 			url := testGetServerURL(t, s)

lib/http/server_test.go

@@ -14,6 +14,10 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func testEmptyHandler() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
+}
+
 func testEchoHandler(data []byte) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write(data)