exodus icon indicating copy to clipboard operation
exodus copied to clipboard

API requires Authentication on CORS-preflight / OPTIONS request

Open rponline opened this issue 6 years ago • 2 comments

Hello!

I have problems authenticating with my web client and I think it's a server side (nginx?) problem:

I try doing xhr requests with the axios javascript library. When using extra headers like 'Authorization', the client does a preflight using OPTIONS method for checking on CORS stuff first.

Doing this preflight must be possible without credentials, but the API responds with a 401 Unauthorized

You can test it with:

$ curl -X OPTIONS https://reports.exodus-privacy.eu.org/api/search/test
{"detail":"Authentication credentials were not provided."}

For a CORS-preflight request, request’s credentials mode is always "omit", but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS-preflight request as well.

I guess It's not high priority because it's just relevant for web clients

My Browser:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

rponline avatar Feb 05 '20 21:02 rponline

Thanks for reporting this :)

Couple of hints on how to solve this with django-rest-framework here: https://github.com/encode/django-rest-framework/issues/5616

pnu-s avatar Feb 05 '20 21:02 pnu-s