From e6aa9de0528e897055fbefdbfa8320c1597d1d44 Mon Sep 17 00:00:00 2001
From: Dylan Dellett-Wion <iamdylandw@gmail.com>
Date: Thu, 30 Apr 2026 21:06:55 -0400
Subject: [PATCH] fix: apply CORS middleware to admin CreateBucket route

The PATCH /:bucket/create admin route was missing
middlewares.ApplyDefaultCORS, while every other admin PATCH route
applies it. The OPTIONS preflight handler already sets CORS headers,
so browsers pass preflight but block the actual response for lacking
Access-Control-Allow-Origin. This caused the WebUI bucket-creation
flow to fail with ERR_FAILED even though the server returned 201.

Fixes #2105. Introduced in #1739 when the endpoint was added.

Co-Authored-By: Claude <noreply@anthropic.com>
---
 s3api/admin-router.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/s3api/admin-router.go b/s3api/admin-router.go
index d335c887..fd5628b7 100644
--- a/s3api/admin-router.go
+++ b/s3api/admin-router.go
@@ -110,6 +110,7 @@ func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMSe
 		controllers.ProcessHandlers(ctrl.CreateBucket, metrics.ActionAdminListBuckets, services,
 			middlewares.VerifyV4Signature(root, iam, region, false, true, false),
 			middlewares.IsAdmin(metrics.ActionAdminCreateBucket),
+			middlewares.ApplyDefaultCORS(corsAllowOrigin),
 		))
 	app.Options("/:bucket/create",
 		middlewares.ApplyDefaultCORSPreflight(corsAllowOrigin),