API CORS Issue / Pre-flight check not working


we are having issue with the API when using JS to query it. It seems like the API in its current implementation with CORS does not handle pre-flight requests correctly.

The CORS pre-flight check made by the browser does an OPTIONS request on the API. But unfortunately the API does not accept this request without authentification:

~ curl -X OPTIONS -H "Origin: https://bla.foo.de" "https://librenms.foo.de/api/v0/devices/test-device/ports/xe-0%2F0%2F0:2"

Unfortunately, the pre-flight check made by all common browsers are not customizable. So we cannot add the ‘X-Auth-Token’ header to this special request.

Our config:

$config['api']['cors']['enabled'] = true;
$config['api']['cors']['origin'] = ['https://bla.foo.de'];
$config['api']['cors']['maxage'] = '86400';
$config['api']['cors']['allowmethods'] = ['POST', 'GET', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'];
$config['api']['cors']['allowheaders'] = ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'X-Auth-Token', 'X-Request'];
$config['api']['cors']['exposeheaders'] = ['Cache-Control', 'Content-Language', 'Content-Type', 'Expires', 'Last-Modified', 'Pragma'];
$config['api']['cors']['allowcredentials'] = false;

In my eyes the API endpoint has to be modified to accept unauthenticated OPTIONS requests for the pre-flight check to work correctly.