Add CORS headers to error message if a token is invalid

[ConsM]

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
If Tyk API used inside browser, browser can’t read values with CORS headers. So when Tyk raise 403 Key Expired error, browser can’t read it

What is the expected behavior?
OPTIONS pass through should enable a full set of CORS headers for invalid tokens

Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk?
All

Was speaking with @buger , who might be able to provide more information if needed.

[buger]

Tyk abandons requests before CORS middleware adds its headers. Probably just need move this middleware before Auth checker.

[asoorm]

@buger @ConsM Started working on this issue & have a PR #1199 of what I I think solves the issue, or maybe just solves a different issue of duplicated CORS headers. Having said this, I am still a little unclear of expected logic & expected outputs given certain inputs.

e.g. Is the following logic correct?

GIVEN:

• I send an OPTIONS request

WHEN:

• Request Token is expired or is invalid
• and OPTIONS passthrough is true

THEN

• Gateway should proxy OPTIONS request to upstream target

[asoorm]

@buger @ConsM I need further clarification on this task as I cannot recreate issue. I need an API definition with the actual request that was made, response received, and expected response.

[lonelycode]

@Mangomm That logic is correct, but should actually already be applied because OPTIONS requests when the feature is enabled always get passed straight upstream.

Might drop this issue form the milestone into a patch.

[buger]

@asoorm can you recap what is the current status of this task?

[letzya]

@asoorm Can you please update what's the status of this bug? thanks

[asoorm]

I am trying to recreate the issue and am unable to do so... Any help with a request, response and an expected response would be very helpful.

In Tyk - I have an expired Token. I enable CORS and OptionsPassthrough.

Example POST Request:

$ curl -X POST https://tyk-gateway.dev:8080/httpbin/post -H 'Authorization: 5a71abbe1df0e6269034f06ae78866af6d8741c9b04d272fbe4a98a2' -k -v
> POST /httpbin/post HTTP/1.1
> Host: tyk-gateway.dev:8080
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: 5a71abbe1df0e6269034f06ae78866af6d8741c9b04d272fbe4a98a2
>
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json
< Vary: Origin
< Date: Wed, 28 Feb 2018 13:14:22 GMT
< Content-Length: 48
<
{
    "error": "Key has expired, please renew"
}

I send an options request to that same endpoint

$ curl -X OPTIONS https://tyk-gateway.dev:8080/httpbin/post -H 'Authorization: 5a71abbe1df0e6269034f06ae78866af6d8741c9b04d272fbe4a98a2' -k -v
> OPTIONS /httpbin/post HTTP/1.1
> Host: tyk-gateway.dev:8080
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: 5a71abbe1df0e6269034f06ae78866af6d8741c9b04d272fbe4a98a2
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
< Access-Control-Allow-Origin: *
< Access-Control-Max-Age: 3600
< Allow: POST, OPTIONS
< Connection: close
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< Date: Wed, 28 Feb 2018 13:15:53 GMT
< Server: meinheld/0.6.1
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Via: 1.1 vegur
< X-Powered-By: Flask
< X-Processed-Time: 0
< X-Ratelimit-Limit: 0
< X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 0
<

[asoorm]

This ticket seems to be an incorrect description of the actual issue. Closing in favour of: #1506