AllowCors Fixture on Auth REST API

[David Freedman]

I'm working on a vue.js SPA running against a py4web backend and am getting the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error (which has been discussed a few times over here) when attempting to call  http://127.0.0.1:8000/cgapi/auth/api/login.  I'm getting the expected 200 when calling from Postman.  What's the best way to put the AllowCors fixture from utils.security on the native py4web auth login api?  My confusion is arising out of the fact that the auth API is predefined vs the remainder of my project where I'm just putting the needed fixtures on the relevant controllers. I appreciate any thoughts.

Dave

[Jim Steil]

I ran into some issues a while back (which are probably the discussions you saw).  I seem to remember doing something to allow CORS from certain IP addresses.  I've since abandoned Vue.js, so I really can't offer much help other than the previous conversations on this list.

Val probably has the answer...

-Jim

[Kevin Keller]

I woukd import the fixture in utils/auth.py and then in that file go to this line :

action(route + "/api/" + api_name, method=["GET", "POST"])
                @action.uses(auth.user)
                def _(auth=auth, api_factory=api_factory):
                    return api_factory(auth)

And add to the. Action.uses next to auth.user.

You could alternatively also add the cors headers into api_wrapper function.

I am Wondering if we should do a pr for this?

We probaly should have the ability to configure the Auth api cors settings from settings.py.. 

--
You received this message because you are subscribed to the Google Groups "py4web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/c6b14222-7f3a-4404-8128-531d7b889d28n%40googlegroups.com.

[David Freedman]

Thanks to both of you for your responses and I'll take a look at doing it both ways.  Seems in the first, I have to put it in both AuthAPI.public_api and AuthAPI.private_api loops where @api_wrapper takes care of the broader concern in one shot.  I'll leave it to the regular contributors on the pr question as I'm not yet up to speed on the full code base but IMHO would be good to have consistent treatment on all out of the box rest apis and to the extent this is a semi-normal use case, I hate to touch library code vs settings/common/controllers for concern of side effects.

[Val K]

I think it is quite enough to add  *uses everywhere in api/plugin-routes as it is done for auth forms, maybe Massimo just forget to do that? 

With this fix, you can just pass your custom fixture(s) to auth.enable, 

e.g.  auth.enable(..., uses=[my_fixture], spa=True)

https://github.com/web2py/py4web/blob/21393b94892c1301348c6aa3e8fa09dbdbc254ee/py4web/utils/auth.py#L767-L802

четверг, 24 июня 2021 г. в 04:53:29 UTC+3, davidantho...@gmail.com:

[Massimo]

Yes I did. I will do so tomorrow, unless somebody makes a PR first. Thanks David for bringing this up.

[Val K]

done

https://github.com/web2py/py4web/pull/576

but there is a problem:

четверг, 24 июня 2021 г. в 10:25:11 UTC+3, Massimo:

[Val K]

@Massimo 

https://docs.travis-ci.com/user/migrate/open-source-repository-migration

чт, 24 июн. 2021 г. в 11:28, Val K <valq...@gmail.com>:

To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/c9901cd7-288c-4068-8ba9-f3a9163e1f7dn%40googlegroups.com.

[Manuele]

Just for adding my two cents to the thread I'd like to share my personal
solution to the problem:

https://github.com/manuelep/mptools/blob/main/src/mptools/frameworks/py4web/controller.py#L181

Cheers

    M.

Il 24/06/21 03:00, Kevin Keller ha scritto:

[David Freedman]

@Val, This may already be accounted for in your solve (or I could be doing something wrong on my side) but I was still erroring with a 405 due to automatic preflight OPTIONS request on my auth POST.

Adding OPTIONS to method= got me past that (though now getting a 400 for some other reason.)

[Kevin Keller]

What's the error message?

There is usually a hint in the terminal plus a full log in the error ticket.

I suspect that it has something to do with the http option method.

I am not sure there is anything in place that would return the allowed http options today.

But since you already know them maybe you can continue with those for now.

--

You received this message because you are subscribed to the Google Groups "py4web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to py4web+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/py4web/8a9bb006-bc06-41c4-834a-c2fa2d970d9fn%40googlegroups.com.

[Kevin Keller]

You can also join us on discord to discuss 

https://discord.gg/VfMRXH8NbF

[David Freedman]

I'll join you guys on discord.  In the meantime, errors below.  I think it's saying I'm not getting a 200 from the server?  Not sure if that has something to do with p4w's response on OPTION request or a problem with my payload.  Looking into the latter this eve but understanding preflight success dependence on valid payload is beyond my understanding.