allow OPTIONS request without ApiKey

[rrd108]

I use ApiKey authentication for a vuejs frontend application, haveing CakePHP at the backend. At first the user give his email and password to identify himself and in the response he gets his ApiKey, and all later requests happens by ApiKey authentication - currently as a query string parameter.

I want to use it as a header instead of the query string.

The problem is the following. When I send an ajax request to the backend it sends OPTIONS request without the ApiKey header. It is because by CORS policy it will send a preflight requests. Perhaps because the ApiKey header is missing the backend sends back a 302 response instead of the actual content.

So what I would need is allowing OPTIONS requests to the application without the ApiKey.

[rochamarcelo]

Please check https://github.com/CakeDC/auth/blob/3.next/Docs/Documentation/ApiKeyAuthenticate.md

[rochamarcelo]

You could try using header instead of querystring

$config['Auth']['authenticate']['CakeDC/Users.ApiKey'] = [
    'type' => 'header',
    ];

[rrd108]

@rochamarcelo I know how to set up to accept the ApiKey in the header. My problem is that the first OPTIONS preflight request does not contain the ApiKey header, so the request is redirected.

So what I would need is allowing OPTIONS requests to the application without the ApiKey.

[rochamarcelo]

It seems that you need a custom authorization rule for it, I'm not sure if this is a generic case.

[rrd108]

Can you give me a hint how to do that?

[rochamarcelo]

@rrd108 please try to add a CorsMiddleware like this one https://github.com/ozee31/cakephp-cors/blob/master/src/Routing/Middleware/CorsMiddleware.php

This should handle the OPTIONS request without having to add custom authorization rules.

Please let us know if this works for you.

[rrd108]

As I see there is official support for this. Am I right?

https://book.cakephp.org/3/en/controllers/request-response.html#setting-cross-origin-request-headers-cors

Addind OPTIONS to allowMethods did not helped

[rochamarcelo]

It seems similar to how the mentioned middleware works, but instead of using named methods like allowHeaders it uses withHeader method

[rrd108]

hm... it still refuses option requests

[rochamarcelo]

Have you followed the plugin installation steps, it requires some config keys https://github.com/ozee31/cakephp-cors#configuration

[rrd108]

the problem is that options request does not contain the apikey, so they are refused by the plugin

[rochamarcelo]

@rrd108 if you check the mentioned behavior, the response for OPTIONS request is handled at https://github.com/ozee31/cakephp-cors/blob/master/src/Routing/Middleware/CorsMiddleware.php#L23

So, using that behavior the OPTIONS requestt will not go to controller layer but just return a simple response. If you tried to use that behavior and did not worked please debug the IF conditions.

[steinkel]

closing this one, if the issue persists please reopen