Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Cors bug #802

Closed
edsonribeiro13 opened this issue Apr 12, 2023 · 3 comments · Fixed by #811
Closed

JWT Cors bug #802

edsonribeiro13 opened this issue Apr 12, 2023 · 3 comments · Fixed by #811
Labels
bug product/api-server REST API Server

Comments

@edsonribeiro13
Copy link

edsonribeiro13 commented Apr 12, 2023
edited

Describe the bug
Cors configuration not working when JWT is enabled

To Reproduce

  1. Add a key or set default to true in the jwt section

Expected behavior
Cors continues to work correctly

Desktop (please complete the following information):

  • pREST version (or commit ref): v1.2.2 (but tried a few others)
  • pREST endpoint: localhost
  • PostgreSQL version: 13.7
  • OS: Ubuntu 20.04

Additional context
I'm using prest to build a integration between my web app and postgres, the cors configuration was okay but stoped working when I activated the JWT configuration. The API still working in insomnia, node.js and with curl requisitions but not in the browser, my prest.toml file:

[pg]
url="postgres://postgres:postgres@172.17.0.1:5432/postgres"

[jwt]
key="mykey"

[ssl]
mode="disable"

[queries]
location = "/query/"

[cors]
alloworigin=["*"]
allowheaders=["Content-Type","Authorization"]
allowmethods=["GET","DELETE","POST","PUT","PATCH","OPTIONS"]

The preflight response with and without jwt:

HTTP/1.1 401 Unauthorized
Content-Type: application/json
X-Content-Type-Options: nosniff
Date: Tue, 11 Apr 2023 23:59:21 GMT
Content-Length: 44

HTTP/1.1 204 No Content
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Content-Type: application/json
Vary: Origin
Date: Wed, 12 Apr 2023 00:12:39 GMT
@avelino
Copy link
Member

avelino commented Apr 12, 2023

Shares the way you made the request (if possible using curl)

@avelino avelino added bug product/api-server REST API Server labels Apr 12, 2023
@edsonribeiro13
Copy link
Author

edsonribeiro13 commented Apr 12, 2023
edited

curl that's working normally

curl -i -X GET http://localhost:8005/databases -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.e30.6y42esKnQjjLWRwENxx3lTm_ZYuOYrO6TBKFxEj6SHQ"

If I try a OPTIONS with one of my endpoints of custom querys I receive the follow message:

"error": "could not get script sum/sum, invalid http method OPTIONS"

Like if the OPTIONS was not configured, reforcing the bug report

@edsonribeiro13
Copy link
Author

So it appears that this is the problem: https://stackoverflow.com/questions/39066786/cors-prevent-preflight-of-request-with-authorization-header
Me and my team worked on a pre-response from nginx for OPTIONS request and the authentication worked, but I think the server should be able to deal with simple-requests even with authorization being passed (example: https://blog.morethancode.dev/killing-cors-preflight-requests-on-a-react-spa/) and to have a pre-response ready with headers and a 204 status to this kinda of method.

@avelino avelino mentioned this issue Apr 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug product/api-server REST API Server
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue802 Listener430/prest
2 participants
@avelino @edsonribeiro13