CORS enabled but OPTION request returns 'method not allowed'

[41WhiteElephants]

I set up a Dockerimage that uses fastapi version 0.59.0 and uvicorn. I enabled CORS like below:
app.add_middleware( CORSMiddleware, allow_origins=["*"], allow_credentials=True, allow_methods=["*"], allow_headers=["*"], )

I defined endpoint for GET & it's working fine:

@router.get("/users", response_model=List[schemas.User]) def users(param1, param2): some code here

But when I try sending OPTION request by the Postman i always get
'{
"detail": "Method Not Allowed"
}'
I tried changing allow_methods to ["GET", "POST", "PUT", "DELETE", "OPTIONS"] but it didn't make it works.
Am I doing something wrong or I just have found a bug?

[phy25]

Please follow the issue template. Are you sending OPTIONS by postman to simulate CORS request sent by the browser? You don't need CORS at all if you could send it through postman, and I would recommend learning more about CORS and see what needs to be present in the request. What exactly do you send in postman.

[41WhiteElephants]

This will be my application flow: website which runs on another domain sends OPTIONS, therefore has to use CORS via an HTTP OPTIONS and when it gets 200_OK & a json with filters from OPTIONS is sending GET request. I choose OPTIONS from request types in Postman and address htttp://localhost:8000/my_api/endpoint_name. I found that I need to define handling options request in fastapi by @router.options("/users", status_code=status.HTTP_200_OK) def users_options(): try: return Msg(message="success") except: raise HTTPException(status_code=404, detail="Not found")

and it's working now.

EDIT: AFAIK OPTIONS should work without defining it explicit.

As a side note: There's no info in FASTAPI official documentation about how to implement handling OPTIONS request so 1) I don't know if my implementation is correct 2) I think you should specify it in documentation for other users

[tiangolo]

Sorry, I can't help you if you don't follow the issue template and provide a minimal example that shows the problem.

If you still have problems please create a new issue and follow the template step by step.

Given that, I'm gonna close this one.

[renatolfc]

Sorry to necrobump, but I think I know what the OP intended to do.

I think the important part of the documentation is CORS preflight requests, which mentions that "These are any OPTIONS request with Origin and Access-Control-Request-Method headers".

In other words, Starlette and FastAPI will only reply successfully to an OPTIONS request if both headers are present.

For example, let's take the first steps server and add a CORS middleware to it:

from fastapi import FastAPI
from starlette.middleware import Middleware
from starlette.middleware.cors import CORSMiddleware

app = FastAPI(middleware=[
    Middleware(CORSMiddleware, allow_origins=["*"])
])

@app.get("/")
async def root():
    return {"message": "Hello World"}

And now make some requests with curl:

1. A GET to /:

$ curl localhost:8000
{"message":"Hello World"}

2. An OPTIONS request to /:

$ curl -XOPTIONS localhost:8000
{"detail":"Method Not Allowed"}

3. An OPTIONS request with Origin set:

$ curl -XOPTIONS -H 'Origin: http://example.com' localhost:8000
{"detail":"Method Not Allowed"}

4. A properly-made OPTIONS request with both headers:

curl -XOPTIONS -H 'Origin: http://example.com' -H 'Access-Control-Request-Method: GET' localhost:8000
OK

So, FastAPI and Starlette do implement OPTIONS support, but requests need to have both the Origin and Access-Control-Request-Method headers set.

[41WhiteElephants]

Thanks subOP, as far as I remember (it was 1+ year ago) it is what I was looking for :) I hope this will help those who have this problem w OPTIONS request. I have never had to make it works since I created this issue