Merge pull request #40830 from nextcloud/stable27-cors-app_api

[stable27] added CORS skip if session was created by AppAPI

lib/private/AppFramework/Middleware/Security/CORSMiddleware.php

@@ -39,6 +39,7 @@
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
 use OCP\IRequest;
+use OCP\ISession;
 use ReflectionMethod;
 
 /**
@@ -97,6 +98,10 @@ public function beforeController($controller, $methodName) {
 			if ($this->request->passesCSRFCheck()) {
 				return;
 			}
+			// Skip CORS check for requests with AppAPI auth.
+			if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {
+				return;
+			}
 			$this->session->logout();
 			try {
 				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {