From 55399d80fe9112e17beb4e3ceaed2cc869744888 Mon Sep 17 00:00:00 2001
From: sto <puz.github.sto.happiness841@passmail.net>
Date: Fri, 13 Jun 2025 19:33:56 +0200
Subject: [PATCH] Add CORS to /message

---
 app/controllers/messages_controller.rb | 42 +++++++++++++++++---------
 config/routes.rb                       |  1 +
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index a698e5d..de500ef 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -1,8 +1,10 @@
 class MessagesController < ApplicationController
   include CompletionsConcern
 
-  skip_before_action :verify_authenticity_token, only: %i[ create ]
+  skip_before_action :verify_authenticity_token, only: %i[ create cors_preflight_check ]
+  skip_before_action :require_authentication, only: %i[ create cors_preflight_check ]
 
+  before_action :cors_set_access_control_headers, only: %i[ create cors_preflight_check ]
   before_action :set_contest, only: %i[ convert destroy ]
   before_action :set_message, only: %i[ convert destroy ]
   before_action :set_data, only: %i[ convert ]
@@ -11,19 +13,35 @@ class MessagesController < ApplicationController
     super + [ "completions" ]
   end
 
+  def cors_set_access_control_headers
+    response.set_header("Access-Control-Allow-Origin", "https://meet.google.com")
+    response.set_header("Access-Control-Allow-Credentials", "true")
+    response.set_header("Access-Control-Allow-Methods", "POST")
+    response.set_header("Access-Control-Allow-Headers", "*")
+    response.set_header("Access-Control-Max-Age", "86400")
+  end
+
+  def cors_preflight_check
+    skip_authorization
+  end
+
   def create
-    allow_unauthenticated_access
     skip_authorization
 
-    @message_params = message_params
-    @contest = Contest.find_by_token_for(:token, params[:token])
-    @message = Message.new(text: params[:text], author: params[:author], time_seconds: params[:time_seconds],
-        display_time: display_time(params[:time_seconds]), contest: @contest)
-    if @contest && @message.save
-      respond_to do |format|
-        format.json  { render json: {}, status: 200 }
+    begin
+      @contest = Contest.find_by_token_for(:token, params[:token])
+      @message = Message.new(text: params[:text], author: params[:author], time_seconds: params[:time_seconds],
+          display_time: display_time(params[:time_seconds]), contest: @contest)
+      if @contest && @message.save
+        respond_to do |format|
+          format.json  { render json: {}, status: 200 }
+        end
+      else
+        respond_to do |format|
+          format.json  { render json: { error: "invalid contest token" }, status: 400 }
+        end
       end
-    else
+    rescue
       respond_to do |format|
         format.json  { render json: { error: "invalid contest token" }, status: 400 }
       end
@@ -60,8 +78,4 @@ class MessagesController < ApplicationController
     @contestants = @contest.contestants
     @puzzles = @contest.puzzles
   end
-
-  def message_params
-    params.expect(message: [ :author, :text, :time_seconds, :token ])
-  end
 end
diff --git a/config/routes.rb b/config/routes.rb
index 80e3341..ff06d9a 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -24,6 +24,7 @@ Rails.application.routes.draw do
   resource :session
   resources :users
 
+  options "message", to: "messages#cors_preflight_check"
   post "message", to: "messages#create"
 
   get "public/:id", to: "contests#scoreboard"