jhipster-registry icon indicating copy to clipboard operation
jhipster-registry copied to clipboard

Published 20 hours ago verified publisher icon jhipster

Swagger UI API testing- 'Invalid CORS Request' response for all requests methods expect for 'GET' requests

Open devcode100 opened this issue 5 years ago • 6 comments
trafficstars

Overview of the issue:

version: 6.3.0

I have set up the Jhipster registry project for Swagger API documentation.Its now the central place for gateway and all other microservices API. When testing API's for gateway and other microservices, if the request verb is other than 'GET',ie. if the request method is POST, PUT, DELETE- 'Invalid CORS request' is thrown. Response status: 403, Invalid CORS request All API requests with GET verb works fine.

Context path is configured as below: jhipster registry: /registry gateway: /gateway

In local(profile local) set up everything is working fine from Swagger UI, but once its deployed to respective environments requests starts failing.

PF the below swagger generated URL for API testing: gateway authentication API: https://xx.99.xx.64/registry/services/gateway/gateway:78b627b6a671cd1a33e53ae603e0eb12/gateway/api/authenticate microservice: micro1 https://xx.99.xx.64/registry/services/micro1/micro1:a8ebfb8ee491ceceda595c63e3e87966/api/save

This APIs fails from swagger,but works fine when tested through Postman

CORS configuration for registry,gateway

jhipster:
  # CORS is only enabled by default with the "dev" profile, so BrowserSync can access the API
  cors:
    allowed-origins: '*'
    allowed-methods: '*'
    allowed-headers: '*'
    exposed-headers: 'Authorization,Link,X-Total-Count'
    allow-credentials: true
    max-age: 1800
  security:
    client-authorization:
      client-id: internal
      client-secret: internal
    authentication:
      jwt:
        base64-secret: _xxsecretkeyxx_

Authentication: JWT

Couldn't figure out the issue as the set up works fine in local and the swagger generated API URLs responds successfully when tested from postman

devcode100 avatar Nov 15 '20 09:11 devcode100

Please don't crosspost https://stackoverflow.com/questions/64858052/swagger-ui-api-testing-invalid-cors-request-response-for-all-requests-methods

gmarziou avatar Nov 16 '20 12:11 gmarziou

Please don't crosspost https://stackoverflow.com/questions/64858052/swagger-ui-api-testing-invalid-cors-request-response-for-all-requests-methods

@gmarziou The thread has been removed.Thanks

devcode100 avatar Nov 16 '20 13:11 devcode100

Postman does not run in a web browser so it does not apply CORS restrictions.

The registry is a Zuul proxy so it should not be different than a gateway, have you compared their configurations?

gmarziou avatar Nov 16 '20 13:11 gmarziou

Postman does not run in a web browser so it does not apply CORS restrictions.

The registry is a Zuul proxy so it should not be different than a gateway, have you compared their configurations?

The issue is resolved and it was straight forward :)

The WebConfigurer.java

@Bean
    public CorsFilter corsFilter() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        final CorsConfiguration config = jHipsterProperties.getCors();
        if (config.getAllowedOrigins() != null && !config.getAllowedOrigins().isEmpty()) {
            log.debug("Registering CORS filter");
            source.registerCorsConfiguration("/api/**", config);
            source.registerCorsConfiguration("/management/**", config);
            source.registerCorsConfiguration("/v2/api-docs", config);
            source.registerCorsConfiguration("/config/**", config);
            source.registerCorsConfiguration("/eureka/**", config);
            source.registerCorsConfiguration("/*/api/**", config);
            source.registerCorsConfiguration("/services/*/api/**", config);
            source.registerCorsConfiguration("/*/management/**", config);
        }

        // default is to deny all CORS requests
        **source.registerCorsConfiguration("/**", new CorsConfiguration());** -- It was evident from this line of code that CORS default methods were set to 'GET' and 'HEAD'(class:CorsConfiguration, method: setAllowedMethods()). Removing the line now filters the configured allowed-methods from corresponding config file.
        return new CorsFilter(source);
    }

Just curious to know , could you please highlight the thought behind denying the CORS requests by default in registry where we have Swagger UI which can act as central resource to test all API's across microservices including gateway.

devcode100 avatar Nov 16 '20 18:11 devcode100

I have no idea why this is done.

@vishal423 do you remember why you made this change? https://github.com/jhipster/jhipster-registry/commit/76a6efc932ef0a9b34ff0dad83653d422bb301c5

gmarziou avatar Nov 16 '20 20:11 gmarziou

The intention was to deny CORS by default, and if the user would like to open, then he can override during application startup. However, there is still a problem noted in the comment that should be fixed.

vishal423 avatar Nov 22 '20 15:11 vishal423