From 9c952785e6b5312996c29325b12907394a8f6c9e Mon Sep 17 00:00:00 2001
From: CalDescent <caldescent@protonmail.com>
Date: Sun, 14 Nov 2021 20:24:02 +0000
Subject: [PATCH] Allow the API key to be passed as an "apiKey" parameter in
 the query string or POST body as an alternate option to a header.

This is needed to avoid triggering a CORS preflight (which occurs when using an X-API-KEY header). The core isn't currently capable of responding to a preflight and the UI therefore blocks the entire request. See: https://stackoverflow.com/a/43881141
---
 src/main/java/org/qortal/api/Security.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/org/qortal/api/Security.java b/src/main/java/org/qortal/api/Security.java
index 8bfcaadf..6d9dc949 100644
--- a/src/main/java/org/qortal/api/Security.java
+++ b/src/main/java/org/qortal/api/Security.java
@@ -36,6 +36,10 @@ public abstract class Security {
 
 		// We require an API key to be passed
 		String passedApiKey = request.getHeader(API_KEY_HEADER);
+		if (passedApiKey == null) {
+			// Try query string - this is needed to avoid a CORS preflight. See: https://stackoverflow.com/a/43881141
+			passedApiKey = request.getParameter("apiKey");
+		}
 		if (passedApiKey == null) {
 			throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Missing 'X-API-KEY' header");
 		}