New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CORS headers to error message if a token is invalid #757
Comments
Tyk abandons requests before CORS middleware adds its headers. Probably just need move this middleware before Auth checker. |
Resolves #757 When `CORS.options_passthrough` is set to true, before, the CORS middleware would write it's own CORS headers, meaning that both the upstreams headers and the CORS headers were returned in OPTIONS requests. Before Passthrough On: ``` curl -X OPTIONS http://127.0.0.1:8080/cors-auth/post -H 'access-control-request-method: POST' -H 'authorization: 453ec0823db443dd9a8fb6d234917e3d' -H 'origin: abc.com' -I HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: abc.com Access-Control-Allow-Origin: abc.com Access-Control-Max-Age: 24 Access-Control-Max-Age: 3600 Allow: POST, OPTIONS Content-Length: 0 Content-Type: text/html; charset=utf-8 Date: Fri, 06 Oct 2017 11:13:29 GMT Server: meinheld/0.6.1 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Via: 1.1 vegur X-Powered-By: Flask X-Processed-Time: 0.000757932662964 X-Ratelimit-Limit: 0 X-Ratelimit-Remaining: 0 X-Ratelimit-Reset: 0 ``` After Passthrough On: ``` $ curl -X OPTIONS http://127.0.0.1:8080/cors-auth/post -H 'access-control-request-method: POST' -H 'authorization: 453ec0823db443dd9a8fb6d234917e3d' -H 'origin: abc.com' -I HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: abc.com Access-Control-Max-Age: 3600 Allow: POST, OPTIONS Content-Length: 0 Content-Type: text/html; charset=utf-8 Date: Fri, 06 Oct 2017 11:14:38 GMT Server: meinheld/0.6.1 Via: 1.1 vegur X-Powered-By: Flask X-Processed-Time: 0.000485897064209 X-Ratelimit-Limit: 0 X-Ratelimit-Remaining: 0 X-Ratelimit-Reset: 0 ```
@buger @ConsM Started working on this issue & have a PR #1199 of what I I think solves the issue, or maybe just solves a different issue of duplicated CORS headers. Having said this, I am still a little unclear of expected logic & expected outputs given certain inputs. e.g. Is the following logic correct? GIVEN:
WHEN:
THEN
|
@Mangomm That logic is correct, but should actually already be applied because OPTIONS requests when the feature is enabled always get passed straight upstream. Might drop this issue form the milestone into a patch. |
@asoorm can you recap what is the current status of this task? |
@asoorm Can you please update what's the status of this bug? thanks |
I am trying to recreate the issue and am unable to do so... Any help with a request, response and an expected response would be very helpful. In Tyk - I have an expired Token. I enable CORS and OptionsPassthrough. Example POST Request:
I send an options request to that same endpoint
|
This ticket seems to be an incorrect description of the actual issue. Closing in favour of: #1506 |
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
If Tyk API used inside browser, browser can’t read values with CORS headers. So when Tyk raise 403 Key Expired error, browser can’t read it
What is the expected behavior?
OPTIONS pass through should enable a full set of CORS headers for invalid tokens
Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk?
All
Was speaking with @buger , who might be able to provide more information if needed.
The text was updated successfully, but these errors were encountered: