HttpApi with Authorization, Bug?

delphi
(wuping) #1

I am using the LATEST version 9.7.0.1433

uROCustomHTTPServer.pas, line 111

aResponse.Headers[id_AccessControlAllowHeaders] := id_ContentType + ', '+ id_Authorization;

I believe it should really be:

aResponse.Headers[id_AccessControlAllowHeaders] := id_ContentType + ', '+ id_Authorization + ', access-token';

Otherwise, when using API-token, we will get the following preflight issues:
“Access to fetch at ‘http://localhost:8099/api/rsutt/’ from origin ‘http://editor.swagger.io’ has been blocked by CORS policy: Request header field access-token is not allowed by Access-Control-Allow-Headers in preflight response.”

Am I right or what I am missing here?

(EvgenyK) #2

Hi,

Have you set TROHttpApiSimpleAuthenticationManager.CORSCompatible ?

(wuping) #3

Yes I did set CORSCompatible = True.

(EvgenyK) #4

hmm, it should generate Access-Token in aResponse.Headers[id_AccessControlAllowHeaders]:

procedure TROHttpApiSimpleAuthenticationManager.WriteAuthenticationInfo(
  aResponse: IROHTTPResponse; aSessionInfo: TROHttpApiSession);
begin
  if Assigned(SessionManager) then begin
    if SessionManager.IsSessionPresent(aSessionInfo.SessionID) then begin
      aResponse.Headers[tag_Access_Token] := GUIDToString(aSessionInfo.SessionID);
      if fCORSCompatible then
        aResponse.Headers[tag_Access_Control_Expose_Headers] := id_Authorization+', '+tag_Access_Token;
    end;
  end;
end;
(wuping) #5

I believe in this case of preflight issue, tag_Access_Token should be added to AccessControlAllowHeaders , not Access_Control_Expose_Headers. , as is indicated in the following Browser-returned message:

Access to fetch at ‘http://localhost:8099/api/rsutt/’ from origin ‘http://editor.swagger.io’ has been blocked by CORS policy: Request header field access-token is not allowed by Access-Control-Allow-Headers in preflight response

(RemObjects) #6

Thanks, logged as bugs://82580

(RemObjects) #7

Thanks, logged as bugs://82581