CORS HTTP 405 Status Code

[Seany84]

Describe the bug

I have created an API gateway with YARP and have a couple of downstream APIs.

The problem I am facing is that when running locally, my web client app calls the API gateway, I am getting:

https://localhost:64540/xxx/v1/yyy/zzz 405 (Method Not Allowed)

I have researched this as much as possible and have found a handful or blogs e.g. https://blog.agchapman.com/bypassing-cors-with-yarp-proxy/ but I cannot seem to rectify this CORS issue.

Output from API gateway HTTP logging:

[21:28:06 DBG] Connection id "0HN331AO8SB31" accepted.
[21:28:06 DBG] Connection id "0HN331AO8SB31" started.
[21:28:06 DBG] Connection 0HN331AO8SB31 established using the following protocol: Tls12
[21:28:06 INF] Request starting HTTP/1.1 OPTIONS https://localhost:64540/REDACTED/v1/xxx/yyy - null null
[21:28:06 DBG] 1 candidate(s) found for the request path '/REDACTED/v1/xxx/yyy'
[21:28:06 DBG] Endpoint 'REDACTED' with route pattern 'REDACTED/{**catch-all}' is valid for the request path '/REDACTED/v1/xxx/yyy'
[21:28:06 DBG] Request matched endpoint 'REDACTED'
[21:28:06 DBG] The request has an origin header: 'https://localhost:5173'.
[21:28:06 INF] CORS policy execution successful.
[21:28:06 DBG] The request is a preflight request.
[21:28:06 DBG] Connection id "0HN331AO8SB31" completed keep alive response.
[21:28:06 INF] Request finished HTTP/1.1 OPTIONS https://localhost:64540/REDACTED/v1/xxx/yyy - 204 null null 14.9071ms
[21:28:06 INF] Request starting HTTP/1.1 GET https://localhost:64540/REDACTED/v1/xxx/yyy - null null
[21:28:06 DBG] 1 candidate(s) found for the request path '/REDACTED/v1/xxx/yyy'
[21:28:06 DBG] Endpoint 'REDACTED' with route pattern 'REDACTED/{**catch-all}' is valid for the request path '/REDACTED/v1/xxx/yyy'
[21:28:06 DBG] Request matched endpoint 'REDACTED'
[21:28:06 DBG] The request has an origin header: 'https://localhost:5173'.
[21:28:06 INF] CORS policy execution successful.
[21:28:06 DBG] Static files was skipped as the request already matched an endpoint.
[21:28:06 INF] Executing endpoint 'REDACTED'
[21:28:06 INF] Proxying to https://localhost:64660/v1/xxx/yyy HTTP/2 RequestVersionOrLower 
[21:28:06 INF] Received HTTP/2.0 response 405.
[21:28:06 INF] Executed endpoint 'REDACTED'
[21:28:06 DBG] Connection id "0HN331AO8SB31" completed keep alive response.
[21:28:06 INF] Request finished HTTP/1.1 GET https://localhost:64540/REDACTED/v1/xxx/yyy - 405 0 null 105.5603ms
[21:28:07 INF] Start processing HTTP request POST http://localhost:4318/v1/traces
[21:28:07 INF] Sending HTTP request POST http://localhost:4318/v1/traces
[21:28:12 INF] Received HTTP response headers after 4077.6925ms - 502
[21:28:12 INF] End processing HTTP request after 4078.9004ms - 502

I have the following code configuration implemented on the API gateway project:

Program.cs

var builder = CommonApi.CreateWebApplicationBuilder(args);

var services = builder.Services;

services.AddHttpLogging(logging =>
{
    logging.LoggingFields = HttpLoggingFields.All;
    logging.RequestBodyLogLimit = 4096;
    logging.ResponseBodyLogLimit = 4096;
});

services.AddApplicationDependencies(builder.Configuration, builder.Environment);

services.AddYarp(builder.Configuration);

services.AddCors(opt =>
{
    opt.AddPolicy("corsGatewayPolicy", policyBuilder =>
    {
        policyBuilder
            .AllowAnyOrigin()
            .AllowAnyOrigin()
            .AllowAnyHeader()
            .AllowAnyMethod();
    });
});

var app = builder.Build();

if (!app.Environment.IsDevelopment())
{
    HttpClient.DefaultProxy = new WebProxy();
}

app.MapReverseProxy();
app.UseCors("corsGatewayPolicy");

app.UseSwagger();
app.UseSwaggerUI(options =>
{
    var config = app.Services.GetRequiredService<IOptionsMonitor<ReverseProxyDocumentFilterConfig>>().CurrentValue;
    foreach (var cluster in config.Clusters)
    {
        options.SwaggerEndpoint($"/swagger/{cluster.Key}/swagger.json", cluster.Key);
    }
});

app.Run();

Extension method to add YARP to servicecollection:

public static IServiceCollection AddYarp(this IServiceCollection services, IConfiguration config)
    {
        services.AddTransient<IConfigureOptions<SwaggerGenOptions>, ConfigureSwaggerOptions>();

        var endpointSection = new EndpointSection();
        config.Bind(endpointSection);

        services
            .AddReverseProxy()
            .LoadFromMemory(YarpRouteService.Routes(endpointSection.Endpoints.BoundImplementations),
                YarpRouteService.Clusters(endpointSection.Endpoints.BoundImplementations))
            .AddSwagger(YarpRouteService.GetSwaggerConfig(endpointSection.Endpoints.BoundImplementations));

        services.Configure((Action<ReverseProxyDocumentFilterConfig>) (overriddenConfig =>
        {
            overriddenConfig.Swagger = YarpRouteService.GetSwaggerConfig(endpointSection.Endpoints.BoundImplementations).Swagger;
        }));

        return services;
    }

Custom YarpService class

public static class YarpRouteService
{
    public static List<RouteConfig> Routes(List<IEndpoint> endpoints)
    {
        var routes = new List<RouteConfig>();
        
        if (routes == null) throw new ArgumentNullException(nameof(routes));

        foreach (var endpoint in endpoints)
        {
            routes.Add(new RouteConfig
            {
                RouteId = $"{endpoint.RouteName}",
                ClusterId = $"{endpoint.RouteName}-module",
                Order = endpoint.Order,
                CorsPolicy = "corsGatewayPolicy",
                Match = new RouteMatch { Path = $"{endpoint.RouteName}/{{**catch-all}}" },
                Transforms = new []
                {
                    new Dictionary<string, string>
                    {
                        {"PathPattern", "{**catch-all}"}
                    },
                    new Dictionary<string, string>
                    {
                        {"ResponseHeader", "Access-Control-Allow-Origin"},
                        {"Set", "*"}
                    }
                }
            });
        }
        
        return routes;
    }

    public static List<ClusterConfig> Clusters(List<IEndpoint> endpoints)
    {
        var clusters = new List<ClusterConfig>();
        
        if (clusters == null) throw new ArgumentNullException(nameof(clusters));

        clusters.AddRange(endpoints.Select(endpoint => 
            new ClusterConfig { ClusterId = $"{endpoint.RouteName}-module", 
                Destinations = new Dictionary<string, DestinationConfig>(StringComparer.OrdinalIgnoreCase) {
                {
                    "destination1", new DestinationConfig() { Address = endpoint.Uri }
                } 
                } 
            }));

        return clusters;
    }

    public static ReverseProxyDocumentFilterConfig GetSwaggerConfig(List<IEndpoint> endpoints)
    {
        var cluster = new Dictionary<string, ReverseProxyDocumentFilterConfig.Cluster>();
        
        foreach (var endpoint in endpoints)
        {
            cluster.Add($"{endpoint.RouteName}-module", new ReverseProxyDocumentFilterConfig.Cluster
            {
                Destinations = new Dictionary<string, ReverseProxyDocumentFilterConfig.Cluster.Destination>
                {
                    {
                        "destination1", new ReverseProxyDocumentFilterConfig.Cluster.Destination
                        {
                            Address = endpoint.Uri,
                            Swaggers = new[]
                            {
                                new ReverseProxyDocumentFilterConfig.Cluster.Destination.Swagger
                                {
                                    PrefixPath = $"/{endpoint.RouteName}",
                                    Paths = new[] {"/swagger/v1/swagger.json"}
                                }
                            }
                        }
                    }
                }
            });
        }
        return new ReverseProxyDocumentFilterConfig
        {
            Swagger = new ReverseProxyDocumentFilterConfig.SwaggerConfig
            {
              CommonDocumentName  = "YARP", IsCommonDocument = false
            },
            
            Routes = Routes(endpoints).ToDictionary(_ => _.RouteId, _ => _),
            
            Clusters = cluster
        };
    }

To Reproduce

Further technical details

• Include the version of the packages you are using
• The platform (Linux/macOS/Windows)

[MihaZupan]

Why do you believe this is a CORS issue? The client did make the request to the gateway.

Judging by the logs, YARP forwarded the GET request to the backend service (https://localhost:64660/v1/xxx/yyy), and it responded with a 405. Are you sure that the client is using the correct method for this request?
I would recommend looking at the logs in the backend service to see why it decided to reject the request.

[Seany84]

Why do you believe this is a CORS issue? The client did make the request to the gateway.

Judging by the logs, YARP forwarded the GET request to the backend service (https://localhost:64660/v1/xxx/yyy), and it responded with a 405. Are you sure that the client is using the correct method for this request? I would recommend looking at the logs in the backend service to see why it decided to reject the request.

You were completely correct, it ended up being a HTTP verb change that was missed when I replaced the legacy API gateway.

Many thanks for the second pair of eyes :)