search

Psychoanalytic-Electronic-Publishing / PaDS

Psychoanalysts Database System (PaDS) is a user database and authorization server with an API to manage and authenticate users for the PEP User Interface client and OPAS Document server.
0 stars 0 forks source link

CORS Issue #2

Closed adistasio closed 4 years ago

adistasio commented 4 years ago

We are getting CORS issues trying to hit the PaDS site.

Access to XMLHttpRequest at 'https://stage-pads.pep-web.rocks/PEPSecure/api/v1/Authenticate/?grant_type=password&UserName=&Password=' from origin 'http://gavant.pep-web.rocks:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

When issuing a call from the browser we make a preflight request which is getting the error above. Could we please add CORS headers on all responses to allow ajax calls?

bakerac4 commented 4 years ago

It seems the main API mirrors the requesting domain for the access-control-allow-origin for all calls. That would be ideal

adistasio commented 4 years ago

Screen Shot 2020-09-02 at 8 58 22 AM

jwoosnam commented 4 years ago

I have done some googling and have added the following to my web.config file:

Please try.

jwoosnam commented 4 years ago

` 

</httpProtocol>`

GitHub seems to have hidden my lines, this might work.

bakerac4 commented 4 years ago

@jwoosnam slightly different error

Access to XMLHttpRequest at 'https://stage-pads.pep-web.rocks/PEPSecure/api/v1/Authenticate/?grant_type=password&UserName=###&Password=###' from origin 'http://gavant.pep-web.rocks:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'gavant.pep-web.rocks:4200' that is not equal to the supplied origin.

If I had to guess your just missing the http:// however Im not sure that what you have will work on stage because that would be an altogether different url eg. https://stage.pep-web.rocks

jwoosnam commented 4 years ago

OK - for now I have set it to * which should allow any traffic...

bakerac4 commented 4 years ago

@jwoosnam thank you.

Slightly different error now

Access to XMLHttpRequest at 'https://stage-pads.pep-web.rocks/PEPSecure/api/v1/Authenticate/?grant_type=password&UserName=Test1&Password=Zedra001' from origin 'http://gavant.pep-web.rocks:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

jwoosnam commented 4 years ago

When I run it in Postman it seems to come back with a 200?

Screenshot 2020-09-02 at 20 40 12
nrshapiro commented 4 years ago

@bakerac4 @jwoosnam

The port number must also be part of the CORS_ORIGINS patterns accepted to make it work like you are on the same origin. Or work without the port number and it should work.

bakerac4 commented 4 years ago

@jwoosnam I think you were looking at the actual request, and not the OPTIONS request that happens before (the preflight request)

https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

An OPTIONS request is sent by the browser before the actual request is sent. And its that OPTIONS request that must not be coming back with a 200.

jwoosnam commented 4 years ago

I have changed it to http://gavant.pep-web.rocks:4200 as I think you have to specify a single URL if Credentials is enabled.

bakerac4 commented 4 years ago

@jwoosnam I just tried it - looks like the same error still.

Access to XMLHttpRequest at 'https://stage-pads.pep-web.rocks/PEPSecure/api/v1/Authenticate/?grant_type=password&UserName=Test1&Password=Zedra001' from origin 'http://gavant.pep-web.rocks:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

jwoosnam commented 4 years ago

Until two days ago I had very little need to know much about CORS, so I have been trying to catch up. Having done more reading it is clear that this needs to be added to the PaDS server. Initially I thought the request to put PaDS on the same domain would solve the problem, but it is now very clear that this will not work if any part of the URL is different.

This is going to require configuration changes, and potentially additional software, to be added to the PaDS server. None of this is very difficult but it is unlikely to be completed before the weekend.

I will update when I have more news.

jwoosnam commented 4 years ago

@bakerac4 I have implemented a new version that should be CORS compliant from http://gavant.pep-web.rocks:4200. Please let me know if I need to add other URLs

bakerac4 commented 4 years ago

@jwoosnam unfortunately Im still seeing an error - but hopefully this one will be quick.

Access to XMLHttpRequest at 'https://stage-pads.pep-web.rocks/PEPSecure/api/v1/Authenticate/?grant_type=password&UserName=Test1&Password=Zedra001' from origin 'http://gavant.pep-web.rocks:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

As for the other urls, I know we will be using https://stage.pep-web.rocks for stage so you can add that too.

Thanks, Adam

jwoosnam commented 4 years ago

@bakerac4 thanks for your patience. I have changed the settings again!

Screenshot 2020-09-04 at 14 50 29
bakerac4 commented 4 years ago

Ok I think I have it working. Thanks for your help! @adistasio you should be able to resolve this