Open afreidz opened 1 year ago
i think the issue here is that i am protecting nearly every route using "authenticated" and adding a 401 response override to 302 to the login page. this setup would cover /api/*
routes too. so maybe another question is: is there a preferred way to authenticate api calls for azure static web?
I am also seeing this same behavior. Is there any resolution?
not that i have seen. i think i had to open the api routes to anonymous traffic and authenticate those requests manually. let me look again.
yea looks like thats what i did. i have:
{
"route": "/api/*",
"allowedRoles": ["anonymous"]
},
and then i use the header x-ms-client-principal
and decode it from base64 to get the authenticated user details in the api. i have NO IDEA if this is secure or if it can be easily spoofed. but for me, it was enough for an internal application. it was less about "authorization" and more about using the user id to get only their associated records from a database. 🤷
Interesting. Thanks for the info! I'm trying one thing to see if it works: my app was making a request to the API before the initial 302 redirect on the home route, so I'm hoping that if I prevent that from happening it might fix the issue
no problem! yea i was able to circumvent most scenarios by authenticating on the front-end first before any api calls. where this became an issue for me was: leaving the app running and the session/token eventually hits a timeout. the next action would subsequently require re-logging in. for me, that was another api call that i made when the app was "unbackgrounded" ... that call failed and i had to do some error handling gymnastics to trigger re-authenticating. in essence, the user sees an error modal for a split second before a programmatic refresh that re-auths them. not ideal at all. wish someone would take a look at this!
On an azure static web app, using managed azure functions as an api, when I let my app stay open overnight, the next api call to the azure function fails CORS preflight due to the response 302 redirecting to https://identity.2.azurestaticapps.net/.redirect/aad
staticwebapp.config.json
GItHub Action
Error
Redirected from 'https://XXXXXXX/api/trpc/ZZZZZZ.getByDate?input=%7B%22date%22%3A%222023-06-05%22%7D') from origin 'https://XXXXXXX' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.