FIX: Add User Api Key headers to CORS

- add User-Api-Key and User-Api-Client-Id to Access-Control-Allow-Headers
- update test

config/initializers/008-rack-cors.rb

@@ -39,7 +39,7 @@ class Discourse::Cors
       end
 
       headers['Access-Control-Allow-Origin'] = origin || cors_origins[0]
-      headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible'
+      headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id'
       headers['Access-Control-Allow-Credentials'] = 'true'
     end
 

spec/components/hijack_spec.rb

@@ -107,7 +107,7 @@ describe Hijack do
 
     expected = {
       "Access-Control-Allow-Origin" => "www.rainbows.com",
-      "Access-Control-Allow-Headers" => "X-Requested-With, X-CSRF-Token, Discourse-Visible",
+      "Access-Control-Allow-Headers" => "X-Requested-With, X-CSRF-Token, Discourse-Visible, User-Api-Key, User-Api-Client-Id",
       "Access-Control-Allow-Credentials" => "true"
     }