add additional required CORS headers for masto-api requests

1 files changed, 15 insertions, 0 deletions

diff --git a/packages/backend/src/server/api/mastodon/MastodonApiServerService.ts b/packages/backend/src/server/api/mastodon/MastodonApiServerService.ts
index 517beb4f44..d7afc1254e 100644
--- a/packages/backend/src/server/api/mastodon/MastodonApiServerService.ts
+++ b/packages/backend/src/server/api/mastodon/MastodonApiServerService.ts
@@ -55,7 +55,22 @@ export class MastodonApiServerService {
 		});
 
 		fastify.addHook('onRequest', (_, reply, done) => {
+			// Allow web-based clients to connect from other origins.
 			reply.header('Access-Control-Allow-Origin', '*');
+
+			// Mastodon uses all types of request methods.
+			reply.header('Access-Control-Allow-Methods', '*');
+
+			// Allow web-based clients to access Link header - required for mastodon pagination.
+			// https://stackoverflow.com/a/54928828
+			// https://docs.joinmastodon.org/api/guidelines/#pagination
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Expose-Headers
+			reply.header('Access-Control-Expose-Headers', 'Link');
+
+			// Cache to avoid extra pre-flight requests
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Max-Age
+			reply.header('Access-Control-Max-Age', 60 * 60 * 24); // 1 day in seconds
+
 			done();
 		});