How to return Preflight OPTIONS with HTTP STATUS OK?

[Robby]

I'm using vanilla JS fetch API (with mode: cors and credentials: include) to make a GET API call from origin http://localhost:3000 to http://192.168.1.100:3000/api/v1/auth/user-status but am getting the following error:

Access to fetch at 'http://192.168.1.100:3000/api/v1/auth/user-status' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

I'm using the default headers plugin and have it defined as following inside app.rb

plugin :default_headers, {

    'Access-Control-Allow-Origin' => 'http://localhost:3000',

    'Access-Control-Allow-Methods' => 'GET, POST, PATCH, PUT, DELETE, OPTIONS, OPTNS',

    'Access-Control-Allow-Headers' => 'Origin, Content-Type, X-Auth-Token, Authorization',

    'Access-Control-Allow-Credentials' => 'true'

  }

Seems like everything is working as expected but I'm getting that error becuase the preflight OPTIONS call does not return an HTTP STATUS OK. How do I make the preflight OPTIONS call return no body but simply an HTTP STATUS of 200 or 204? 

[Jeremy Evans]

The default_headers plugin is not enough, because it only gives the default headers, not the default status.  You could use the default status plugin as well:

plugin :default_status do

  request.request_method == 'OPTIONS' ? 200 : 404

end

I don't think such a approach is a good idea, though.  Responding to any OPTIONS request with 200 and those statuses seems like it might result in problems later.  It would probably be better to only respond with those headers and options to valid preflight requests, though that will take more work.

Thanks,

Jeremy

[Robby Dhillon]

This is great, this should do for me. As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS spec, looks like I can add an app/resource specific header in the preflight request using “Access-Control-Request-Headers” to limit use of this override method to a specific origin and or resource based on presence of a use-case based header or even a token. Thank you for pointing me to this plugin. 🙏

Sent from my iPhone

On Jun 18, 2021, at 6:32 PM, Jeremy Evans <jeremy...@gmail.com> wrote:



--
You received this message because you are subscribed to a topic in the Google Groups "Roda" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ruby-roda/ebezj-qSTlI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ruby-roda+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ruby-roda/CADGZSSeRyhjGHwsTndWLuLqpe-%3DotX1r8Q0dnuAqBibnRGzP6Q%40mail.gmail.com.

[Michael Monerau]

If you want to benefit from a well tested & clean DSL, you could also consider using the Rack::Cors middleware for your Rack app, if it makes sense if your setting.

Best,

Michael

You received this message because you are subscribed to the Google Groups "Roda" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ruby-roda+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ruby-roda/3197D037-A66B-440A-9A8C-BEA8FC24A307%40gmail.com.