Wired behaviours between Cors and Pac4jModule

[jonaskahn]

In my project, I setup both CORS and Pac4J like below:

    install(
        Pac4jModule().client(
            "/api/secure/*",
            CheckHttpMethodAuthorizer(
                HttpConstants.HTTP_METHOD.GET,
                HttpConstants.HTTP_METHOD.PUT,
                HttpConstants.HTTP_METHOD.POST,
                HttpConstants.HTTP_METHOD.DELETE,
                HttpConstants.HTTP_METHOD.PATCH
            )
        ) {
            HeaderClient(
                "Authorization",
                "Bearer ",
                AdvancedJwtAuthenticator(
                    require(JedisPooled::class.java),
                    SecretSignatureConfiguration(it.getString("jwt.salt"))
                )
            )
        }
    )

    val corsOption = Cors()
    corsOption.setOrigin("*")
    corsOption.setUseCredentials(true)
    corsOption.setHeaders("X-Requested-With", "Content-Type", "Accept", "Origin", "Authorization")
    corsOption.setMethods("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD")
    corsOption.setMaxAge(Duration.ofMinutes(60))
    use(CorsHandler(corsOption))

AdvancedJwtAuthenticator: Just an extended class to store JWT ID to redis before create user profile.

• If I enabled CORS, when I send method OPTIONS on protected API it will throw 401, the code will be execute

                    if (startAuthentication(context, sessionStore, currentClients)) {
                        LOGGER.debug("Starting authentication");
                        saveRequestedUrl(context, sessionStore, currentClients, config.getClients().getAjaxRequestResolver());
                        action = redirectToIdentityProvider(context, sessionStore, currentClients);
                    } else {
                       // Line 152: DefaultSecurityLogic.java
                        LOGGER.debug("unauthorized");
                        action = unauthorized(context, sessionStore, currentClients);
                    }

• If I turn off Cors, this line of code will be ignored.

It will lead to browser can never send Options method to complete API calling. Could you explain this ?

[jknack]

Just add Cors handler before pac4j, should work.

[jonaskahn]

Confirmed. It worked. Thank you
Btw, Could you write docs to notice other people?

[jknack]

This is part of handler/pipeline documentation https://jooby.io/#router-pipeline-order

You added a security handler before cors, so browser will never reach cors bc of the security handler running first.

does it make sense?

[jonaskahn]

Yup. It does
I missed the docs.
In other framewors and language I've never ever care about the order of settings 💀. This is my second time, before that I also figure out to install Jackson before declare router.
Aw, thank for your help.