Otherwise, when using API-token, we will get the following preflight issues:
“Access to fetch at ‘http://localhost:8099/api/rsutt/’ from origin ‘http://editor.swagger.io’ has been blocked by CORS policy: Request header field access-token is not allowed by Access-Control-Allow-Headers in preflight response.”
hmm, it should generate Access-Token in aResponse.Headers[id_AccessControlAllowHeaders]:
procedure TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo(
aResponse: IROHTTPResponse; aSessionInfo: TROHttpApiSession);
begin
if Assigned(SessionManager) then begin
if SessionManager.IsSessionPresent(aSessionInfo.SessionID) then begin
aResponse.Headers[tag_Access_Token] := GUIDToString(aSessionInfo.SessionID);
if fCORSCompatible then
aResponse.Headers[tag_Access_Control_Expose_Headers] := id_Authorization+', '+tag_Access_Token;
end;
end;
end;
I believe in this case of preflight issue, tag_Access_Token should be added to AccessControlAllowHeaders , not Access_Control_Expose_Headers. , as is indicated in the following Browser-returned message:
Access to fetch at ‘http://localhost:8099/api/rsutt/’ from origin ‘http://editor.swagger.io’ has been blocked by CORS policy: Request header field access-token is not allowed by Access-Control-Allow-Headers in preflight response