Services not returning CORS headers on errors

DataONEorg / bookkeeper

Bookkeeper keeps track of DataONE product subscriptions and quotas for researchers using the extended services.

Other

1 stars 2 forks source link

When quotas are listed (QuotasResource.listQuotas()) or a single quota is retrieved (QuotasResource.retrieve()) CORS headers are not returned, causing problems for JS applications which will not allow the results of the query to be accessed unless the required CORS headers are returned. For example, here is a listQuotas() request for quotas that don't exist, causing a 404 result:


curl -v "https://api.test.dataone.org:30443/bookkeeper/v1/quotas?quotaType=portal&subscriber=foo" \
     -H "Origin: https://avatar.nceas.ucsb.edu" \
     -H "Authorization: Bearer $token"
...
> GET /bookkeeper/v1/quotas?quotaType=portal&subscriber=foo HTTP/1.1
> Host: api.test.dataone.org:30443
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: https://avatar.nceas.ucsb.edu
...
< Server: nginx/1.19.0
< Date: Wed, 26 Aug 2020 17:57:38 GMT
< Content-Type: application/json
< Content-Length: 61
< Connection: keep-alive
<
{ [61 bytes data]
100    61  100    61    0     0     38      0  0:00:01  0:00:01 --:--:--    38
* Connection #0 to host api.test.dataone.org left intact
{
    "code": 404,
    "message": "The requested quotas were not found."
}

kind: ConfigMap apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress data: # Added CORS 2020 06 18 location-snippets: | ... if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '$http_origin' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Origin, Cache-Control' always; add_header 'Access-Control-Allow-Credentials' 'true' always; }

DataONEorg / bookkeeper

Services not returning CORS headers on errors #63