Baikal icon indicating copy to clipboard operation
Baikal copied to clipboard

Published 20 hours ago verified publisher icon sabre-io

CORS Options request requires authorization --> Preflight will always fail

Open Phoinix-Dev opened this issue 3 years ago • 5 comments

Hello I have a problem making a CORS request to the server 0.8.0 due to 401 unauthorized OPTIONS request, a CORS request is impossible.

Expected behaviour: To make a CORS request in JS, it's expected that the OPTIONS request does not require authorization. The problem is, that a CORS authorization always requires a preflight, due to the custom Auth header. As the preflight itself will make an OPTIONS request that required authorization itself, its impossible to make the request.

Current behaviour: Currently, the OPTIONS request for CORS receives a 401 unauthorized --> Request impossible.

Is there a built-in solution for that problem? Thank you.

Phoinix-Dev avatar Jan 20 '22 15:01 Phoinix-Dev

When switching to basic auth instead of digest auth, your password is sent in plain text (over the secure https channel if available) directly with the first request. Then there is no need for back-and-forth to exchange random numbers like with digest auth. No idea if that helps with CORS, though.

ByteHamster avatar Jan 21 '22 17:01 ByteHamster

Hi @phoenix-100, saw the same while working on ckulka/baikal-docker#13. The solution was to handle the preflight (OPTIONS) requests in Apache or Nginx instead of Baikal's PHP code.

I came up with a working Nginx configuration, hope it helps: https://github.com/ckulka/infcloud-docker/blob/dd03df55bb04a76a698e34efb438e571e9866ab2/examples/baikal-nginx.conf#L34-L72

ckulka avatar Jan 28 '22 00:01 ckulka

Thank you very much for your answers. I could not find any way to solve this, without having to change the server code. As a woraround, I did exactly what @ckulka recommended and made a rule using the Apache Rewrite-Engine.

Phoinix-Dev avatar Mar 28 '22 12:03 Phoinix-Dev

Glad it worked out! Can you post the Apache configuration snippet you added?

I bet others run into similar issues and you could help them out when they find this here.

ckulka avatar Mar 28 '22 17:03 ckulka

Of course, but I have to mention that I don't check where the request is coming from or going to. It's really just a workaround.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ /html [R=200,L]

Header add Access-Control-Allow-Origin "*" Header add Access-Control-Allow-Headers "origin, content-type, authorization" Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS, REPORT"

Phoinix-Dev avatar Mar 29 '22 10:03 Phoinix-Dev