EspAuthenticator not allowing CORS

[caitlyn-organizer]

I am making a request from an appengine javascript frontend at project-id.appspot.com (default service) with a firebase id token to a cloud endpoint at service-name-dot-project-id.appspot.com. The cloud endpoint uses annotations for firebase auth (see below). However, the call from the client fails due to "No 'Access-Control-Allow-Origin' header is present on the requested resource." This does not happen without the firebase auth annotations on the endpoint. These release notes suggest it is due to EspAuthenticator preventing cross origin resource sharing: https://cloud.google.com/endpoints/docs/release-notes#january_2017. "By default, ESP will block cross-origin requests by rejecting all OPTIONS requests" - from release notes. It states that "allowCors" : "true" can be added to the openapi.json but the documentation is outdated. There is also no synonymous java annotation documented. How can I make a request from my default module front end to a non-default service cloud endpoint using firebase tokens?
@Api(
name = "firebaseauthtest",
version = "v2",
apiKeyRequired = AnnotationBoolean.TRUE,
authenticators = {EspAuthenticator.class},
issuers = {
@ApiIssuer(
name = "firebase",
issuer = "https://securetoken.google.com/" + PROJECT_ID,
jwksUri = "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
)
},
issuerAudiences = {
@ApiIssuerAudience(name = "firebase", audiences = PROJECT_ID)
},
namespace =
@ApiNamespace(
ownerDomain = DOMAIN,
ownerName = DOMAIN,
packagePath = "myproject/endpoints"
)
)

[tangiel]

Are you running on App Engine Flexible or Standard?

[caitlyn-organizer]

Running on App Engine Standard @tangiel

[tangiel]

Can you show sample logs for a rejected request? There should be some information that indicates why a request fails.

[caitlyn-organizer]

@tangiel In the appengine service logs,

We first see an options request with a 200 response.
2018-02-26 14:40:53.428 PST OPTIONS 200 281 B 4.4 s Chrome 63
/_ah/api/firebaseauthtest/v2/firebaseendpoint?key=XXX

Then we see a GET request with a 404 response.
2018-02-26 14:40:57.941 PST GET 404 46 B 121 ms Chrome 63
/_ah/api/firebaseauthtest/v2/firebaseendpoint?key=XXX

On the client side console logs, we see

GET https://service-name-dot-project-id.appspot.com/_ah/api/firebaseauthtest/v1/firebaseendpoint?key=XXX 404 ()

Failed to load https://service-name-dot-project-id.appspot.com/_ah/api/firebaseauthtest/v1/firebaseendpoint?key=XXX: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://project-id.appspot.com' is therefore not allowed access. The response had HTTP status code 404.

[tangiel]

There should be log messages, rather than just the single line. Can you expand the request and post the contents inside?

[caitlyn-organizer]

@tangiel It looks like the URL in the request was wrong, thus a 404. I'm not sure why this resulted in "No 'Access-Control-Allow-Origin' header is present on the requested resource" error on the client side but it seems the Esp info on the release notes was not related to my problem. This is a non-issue and can be closed. Thanks

[tangiel]

Likely the error is because on a 404, the request is not handled by Endpoints, but the default app error handler, which does not add any CORS response headers. Or possibly the CORS handling is not triggered on Endpoints errors.