Don't require signin for OPTIONS requests

[mattfysh]

Description

Hi there, I'm running git-wasm in a web app which is why I need to get the CORS settings right. In my helm chart settings I have:

repository:
  ACCESS_CONTROL_ALLOW_ORIGIN: http://web.app.url
service:
  REQUIRE_SIGNIN_VIEW: true

The issue is that any incoming OPTIONS requests sent by the browser during preflight are being denied by this piece of logic:

gitea/routers/web/githttp.go

Lines 15 to 20 in 698ae7a

	func addOwnerRepoGitHTTPRouters(m *web.Router) {
	reqGitSignIn := func(ctx *context.Context) {
	if !setting.Service.RequireSignInView {
	return
	}
	// rely on the results of Contexter

Browser typically will not send authorization headers with a preflight OPTIONS request, and they will not process any returned 'www-authenticate' header instructions, so this prevents any git-over-http requests from succeeding in the browser

The only workaround currently is to set REQUIRE_SIGNIN_VIEW to false

Gitea Version

1.24.0+dev-342-gead716d204

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Via the helm chart provided here https://gitea.com/gitea/helm-chart

Database

None

[lunny]

I don't think this is the right place to ignore the OPTIONS. The authentication is in the middleware. Search buildAuthGroup.