Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression: CORS is not handled properly #1054

Closed
4 of 6 tasks
marcinfigiel opened this issue Jan 24, 2023 · 0 comments
Closed
4 of 6 tasks

Regression: CORS is not handled properly #1054

marcinfigiel opened this issue Jan 24, 2023 · 0 comments
Labels
bug Something is not working.

Comments

@marcinfigiel
Copy link
Contributor

marcinfigiel commented Jan 24, 2023
edited
Loading

Preflight checklist

Describe the bug

Version 0.40.0 introduced a regression in CORS handling by the decisions API. Up to v0.39.4 it worked flawlessly, now it's broken.

The regression was introduced by #999 - this line to be exact. It adds the CORS handler after the DecisionHandler.
After this change the CORS preflight requests (OPTIONS) are intercepted and authenticated by the DecisionHandler which always fail, because browsers don't attach the authentication data to the preflight requests.

Reproducing the bug

  1. Run Oathkeeper with the API configuration as attached below
  2. Make Oathkeeper decisions API available under localhost:4456
  3. Execute the following curl:
curl -i 'http://localhost:4456/decisions/some/api/endpoint \
  -X 'OPTIONS' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9,pl;q=0.8' \
  -H 'Access-Control-Request-Headers: site' \
  -H 'Access-Control-Request-Method: GET' \
  -H 'Connection: keep-alive' \
  -H 'Origin: http://localhost:5000' \
  -H 'Referer: http://localhost:5000/' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-site' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'

Expected response (copied from v0.39.4):

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Site
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: http://localhost:5000
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Date: Tue, 24 Jan 2023 14:13:33 GMT
Content-Length: 0

Actual response (copied from v0.40.1):

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Date: Tue, 24 Jan 2023 14:16:16 GMT
Content-Length: 95

{"error":{"code":401,"status":"Unauthorized","message":"The request could not be authorized"}}

Relevant log output

No response

Relevant configuration

serve:
  api:
    cors:
      allow_credentials: true
      allowed_headers:
      - Cookie
      - Content-Type
      - Site
      allowed_methods:
      - GET
      - PUT
      - POST
      - PATCH
      - DELETE
      allowed_origins:
      - http://localhost:5000
      debug: false
      enabled: true
      exposed_headers:
      - Access-Control-Allow-Origin
      - Access-Control-Allow-Method
      - Access-Control-Allow-Headers
      - Access-Control-Allow-Credentials
    port: 4456

Version

0.40.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response
@marcinfigiel marcinfigiel added the bug Something is not working. label Jan 24, 2023
@marcinfigiel marcinfigiel mentioned this issue Jan 24, 2023
Merged
7 tasks
aeneasr pushed a commit to marcinfigiel/oathkeeper that referenced this issue Feb 14, 2023
@marcinfigiel @aeneasr
fix: add handlers in correct order to handle CORS requests properly
37dd8d4 
resolves ory#1054
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marcinfigiel