fix: CORS on assets api (#3659)

internal/api/assets/asset.go

@@ -83,10 +83,10 @@ func NewHandler(commands *command.Commands, verifier *authz.TokenVerifier, authC
 
 	verifier.RegisterServer("Assets-API", "assets", AssetsService_AuthMethods)
 	router := mux.NewRouter()
-	router.Use(sentryhttp.New(sentryhttp.Options{}).Handle, http_mw.CORSInterceptor, instanceInterceptor)
+	router.Use(sentryhttp.New(sentryhttp.Options{}).Handle, instanceInterceptor)
 	RegisterRoutes(router, h)
 	router.PathPrefix("/{owner}").Methods("GET").HandlerFunc(DownloadHandleFunc(h, h.GetFile()))
-	return router
+	return http_util.CopyHeadersToContext(http_mw.CORSInterceptor(router))
 }
 
 func (h *Handler) GetFile() Downloader {

internal/api/authz/context.go

@@ -125,7 +125,10 @@ func GetAllPermissionsFromCtx(ctx context.Context) []string {
 func checkOrigin(ctx context.Context, origins []string) error {
 	origin := grpc.GetGatewayHeader(ctx, http_util.Origin)
 	if origin == "" {
-		return nil
+		origin = http_util.OriginFromCtx(ctx)
+		if origin == "" {
+			return nil
+		}
 	}
 	if http_util.IsOriginAllowed(origins, origin) {
 		return nil

internal/api/http/header.go

@@ -40,9 +40,9 @@ const (
 
 type key int
 
-var (
-	httpHeaders key
-	remoteAddr  key
+const (
+	httpHeaders key = iota
+	remoteAddr
 )
 
 func CopyHeadersToContext(h http.Handler) http.Handler {
@@ -59,6 +59,14 @@ func HeadersFromCtx(ctx context.Context) (http.Header, bool) {
 	return headers, ok
 }
 
+func OriginFromCtx(ctx context.Context) string {
+	headers, ok := ctx.Value(httpHeaders).(http.Header)
+	if !ok {
+		return ""
+	}
+	return headers.Get(Origin)
+}
+
 func RemoteIPFromCtx(ctx context.Context) string {
 	ctxHeaders, ok := HeadersFromCtx(ctx)
 	if !ok {