HttpApi with Authorization, Bug?

Remoting SDK
1

I am using the LATEST version 9.7.0.1433

uROCustomHTTPServer.pas, line 111

aResponse.Headers[id_AccessControlAllowHeaders] := id_ContentType + ', '+ id_Authorization;

I believe it should really be:

aResponse.Headers[id_AccessControlAllowHeaders] := id_ContentType + ', '+ id_Authorization + ', access-token';

Otherwise, when using API-token, we will get the following preflight issues:
“Access to fetch at ‘http://localhost:8099/api/rsutt/’ from origin ‘http://editor.swagger.io’ has been blocked by CORS policy: Request header field access-token is not allowed by Access-Control-Allow-Headers in preflight response.”

Am I right or what I am missing here?

2

Hi,

Have you set TROHttpApiSimpleAuthenticationManager.CORSCompatible ?

3

Yes I did set CORSCompatible = True.

4

hmm, it should generate Access-Token in aResponse.Headers[id_AccessControlAllowHeaders]:

procedure TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo(
  aResponse: IROHTTPResponse; aSessionInfo: TROHttpApiSession);
begin
  if Assigned(SessionManager) then begin
    if SessionManager.IsSessionPresent(aSessionInfo.SessionID) then begin
      aResponse.Headers[tag_Access_Token] := GUIDToString(aSessionInfo.SessionID);
      if fCORSCompatible then
        aResponse.Headers[tag_Access_Control_Expose_Headers] := id_Authorization+', '+tag_Access_Token;
    end;
  end;
end;
5

I believe in this case of preflight issue, tag_Access_Token should be added to AccessControlAllowHeaders , not Access_Control_Expose_Headers. , as is indicated in the following Browser-returned message:

Access to fetch at ‘http://localhost:8099/api/rsutt/’ from origin ‘http://editor.swagger.io’ has been blocked by CORS policy: Request header field access-token is not allowed by Access-Control-Allow-Headers in preflight response

6

Thanks, logged as bugs://82580

7

Thanks, logged as bugs://82581

8

bugs://82581 got closed with status fixed.

9

bugs://82580 got closed with status fixed.