New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Guards should not be executed for OPTIONS
requests
#2314
Comments
OPTIONS
requests
@v3ss0n Does the updated title better reflect the issue? From your error, it looks like the guard is executing when you send in an |
Sorry for late reply , after raising this issue i got sick due to food poison . @guacs already fixed it and i am marking it as closed. I am thinking if it is fit better with your title because it happens on Controller and APP level. What if we apply directly to |
The fix that was made in #2325 does NOT fix this issue by preventing guards from called for OPTIONS requests. It only prevents the middleware from being executed for OPTIONS requests by default. There was already a mechanism for avoiding calling the middleware based on the HTTP method, but there is not an in-built mechanism for guards as of now. |
My workaround for now. async def example_guard(connection: ASGIConnection, _: BaseRouteHandler) -> None:
if connection.scope.get("method") == "OPTIONS":
return
# guard logic |
is that for 2.1 ? I think 2.1 should be fine for that now. |
Just updated to 2.1.1final0 and still behaves the same, the preflight OPTIONS is still being passed to the guard. I think it's similar to what @guacs is describing. |
Yeah, that behavior should still be there since it hasn't been fixed yet :P |
This problem still exist , i had tried with 2.3.1 . |
Just encountered this one today on the latest version 2.3.2 |
It would be easy enough to bypass calling guards for OPTIONS requests - my question is, should it only apply to the options handlers that we generate, or should it be a blanket rule for all OPTIONS method handlers, or be configurable in some manner? |
I think the ideal would be that the guard should only apply to what was defined in the controller/action. So the controller guard should only be applied to class Site(Controller):
guards = [permission_guard]
@get(path="/home")
async def home(self) -> None:
pass
@post(path="/profile")
async def profile(self) -> None:
pass The action guard should only apply to its respective action method handled, class Site(Controller):
@get(
path="/home",
guards=[permission_guard],
)
async def home(self) -> None:
pass
@post(
path="/profile",
guards=[role_guard],
)
async def profile(self) -> None:
pass |
Should we try to handle if an options handler is manually created? class Site(Controller):
guards = [permission_guard]
@get(path="/home")
async def home(self) -> None:
pass
@route(path="/home", http_method="OPTIONS")
async def home_options_handler(self) -> Response[str | None]:
... |
My issue with excluding generated The workaround presented in this comment is the ideal way to handle this IMO; It requires you to explicitly exclude something from the authentication. |
The main point of my example is i am not explicitly handling OPTIONS requests but the guard is being applied. Preflight OPTIONS are a special case as well because they're forced by the browser for CORS. Most other frameworks, through middleware or whatever, will swallow the preflight OPTIONS requests so they don't even make it to your controller because this is the most common use case. So that is another approach instead of needing to workaround every guard that exists. |
I agree with this as well. |
We have faced the exact same issue with guards. Took us couple of hours to troubleshoot. If we are not fixing it at least can we all agree to document it? |
@jayantraizada thanks for reminding me to document this! I've added this to the docs and linked to this issue in #3230. |
In any case, I don't think this is a bug, since the current behaviour works as intended, and is now also explicitly documented. Closing for now. We might revisit the autogenerated OPTIONS handler behaviour in the future. |
Description
When guards are applied at Controller level , it is blocking the OPTIONS requests and causing error when accessing users on the guards.
URL to code causing the issue
https://github.com/litestar-org/litestar-fullstack
MCVE
Steps to reproduce
Screenshots
"![SCREENSHOT_DESCRIPTION](SCREENSHOT_LINK.png)"
Logs
Litestar Version
2.0.1
Platform
The text was updated successfully, but these errors were encountered: