Bypass MVC for replying to CORS requests if Bitpay API

BTCPayServer/Controllers/AccessTokenController.cs

@@ -14,8 +14,7 @@ using System.Threading.Tasks;
 namespace BTCPayServer.Controllers
 {
     [Authorize(AuthenticationSchemes = Security.Policies.BitpayAuthentication)]
-    [BitpayAPIConstraint(true)]
+    [BitpayAPIConstraint()]
-    [EnableCors(CorsPolicies.All)]
     public class AccessTokenController : Controller
     {
         TokenRepository _TokenRepository;

BTCPayServer/Controllers/InvoiceController.API.cs

@@ -13,7 +13,6 @@ using NBitpayClient;
 namespace BTCPayServer.Controllers
 {
     [BitpayAPIConstraint]
-    [EnableCors(CorsPolicies.All)]
     [Authorize(Policies.CanCreateInvoice.Key, AuthenticationSchemes = Policies.BitpayAuthentication)]
     public class InvoiceControllerAPI : Controller
     {

BTCPayServer/Hosting/BTCpayMiddleware.cs

@@ -38,6 +38,11 @@ namespace BTCPayServer.Hosting
             {
                 var bitpayAuth = GetBitpayAuth(httpContext, out bool isBitpayAuth);
                 var isBitpayAPI = IsBitpayAPI(httpContext, isBitpayAuth);
+                if (isBitpayAPI && httpContext.Request.Method == "OPTIONS")
+                {
+                    httpContext.Response.StatusCode = 200;
+                    return; // We bypass MVC completely
+                }
                 httpContext.SetIsBitpayAPI(isBitpayAPI);
                 if (isBitpayAPI)
                 {