CROS - FHIR end point does not handle OPTIONS operation

[Ki-nam Choi]

Hi,

I am running the JPAStarter Server in SpringBoot application, and to allow the calls from Javascript, I added the CROS interceptor.  But when the endpoints are called from browser, it has a pre-flight OPTIONS request.  The server is returning ...

Invalid request: The FHIR endpoint on this server does not know how to handle OPTIONS operation[Patient] with parameters [[]]

I expect the CROSInterceptor handles the OPTIONS call, not sure what I am missing. Thanks so much for your helps.

thanks

Ki Nam Choi

[Blessed Tabvirwa]

Hi there

I am guessing you already had a look at a nearly similar question posted before on this forum, https://groups.google.com/g/hapi-fhir/c/xxB2TLSimvU

if not, may you check and confirm if you implemented your interceptor correctly referencing the above-linked thread.

Hope that helps.

--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hapi-fhir/60d88974-4321-4d83-9f73-251aa3244e4fn%40googlegroups.com.

                

Subscribe to receive emails from MEDITECH or to change email preferences.

[Ki-nam Choi]

Hi Blessed,

Thanks for the pointer, I looked into the thread but not sure about it.  Seems to me the other author get the problem solved using Filter approach.  Mine is run as SpringBoot Application and thus using interceptor.

I follow the instruction - https://hapifhir.io/hapi-fhir/docs/security/cors.html, create and register the interceptor as below …

CorsConfiguration config = new CorsConfiguration();
config.addAllowedHeader("x-fhir-starter");
config.addAllowedHeader("Origin");
config.addAllowedHeader("Accept");
config.addAllowedHeader("X-Requested-With");
config.addAllowedHeader("Content-Type");
config.addAllowedOrigin("*");
config.addExposedHeader("Location");
config.addExposedHeader("Content-Location");
config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
CorsInterceptor interceptor = new CorsInterceptor(config);
fhirServer.registerInterceptor(interceptor);

Now if I call a GET with Origin from Postman, the response header returns as below …

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

Access-Control-Allow-Origin: http://abc.com

Access-Control-Expose-Headers: Location, Content-Location

Access-Control-Allow-Credentials: true

X-Powered-By: HAPI FHIR 6.2.2 REST Server (FHIR Server; FHIR 4.0.1/R4)

X-Request-ID: j4U8KmYCgWWskft3

But on a Javascript pre-flight call from browser, it fails.

thanks

Ki Nam Choi

[btab...@meditech-int-services.com]

Hi Ki Nam

Since postman is working I suspect the issue is most likely with your JavaScript library, the request itself, or browser CORS settings. Perhaps your Javascript request is somehow missing the Origin request header? 

In case the JavaScript request is making it to your server, try enabling debugging, it may help you get more insight into the issue:

...

CorsInterceptor interceptor = new CorsInterceptor(config);

interceptor.setDebug(true);
fhirServer.registerInterceptor(interceptor);

...

Alternatively, have a look at your postman request (raw) and compare that to your JavaScript you might just be able to spot the difference, which could very well be the key to resolving this.

There are also browser plugins to disable CORS if that is a path you want to pursue just to test your JavaScript code.

Hope that helps