API requires Authentication on CORS-preflight / OPTIONS request

[rponline]

Hello!

I have problems authenticating with my web client and I think it's a server side (nginx?) problem:

I try doing xhr requests with the axios javascript library. When using extra headers like 'Authorization', the client does a preflight using OPTIONS method for checking on CORS stuff first.

Doing this preflight must be possible without credentials, but the API responds with a 401 Unauthorized

You can test it with:

$ curl -X OPTIONS https://reports.exodus-privacy.eu.org/api/search/test
{"detail":"Authentication credentials were not provided."}

For a CORS-preflight request, request’s credentials mode is always "omit", but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS-preflight request as well.

I guess It's not high priority because it's just relevant for web clients

My Browser:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

[pnu-s]

Thanks for reporting this :)

Couple of hints on how to solve this with django-rest-framework here: https://github.com/encode/django-rest-framework/issues/5616