search

SenseNet / sensenet

Open Source Content Services Platform written in .NET
https://sensenet.com
GNU General Public License v2.0
173 stars 112 forks source link

Unable to log in with JWT using CORS #98

Closed gallayl closed 7 years ago

gallayl commented 7 years ago

We're unable to log in into a sensenet ECM (Using Sensenet.Services 7.0.0-beta2 and Sensenet.WebPages 7.0.0-beta1 site with JWT authentication, using CORS.

Steps to reproduce:

  1. Create a sensenet ECM site with the following components, set up JWT authentication and HTTPS
  2. Setup CORS, update Settings/Portal.settings in Explore, remove Deny cross-site access from your site
  3. Download the updated Angular ToDo example app
  4. Install it with npm i
  5. Specify your site URL in ./src/app/app.module.ts 
    const repository = new Repository.SnRepository({
// You can set your site URL here, if it's different from the host that will serve this ToDo application
RepositoryUrl: 'https://sn-local' // <- this should point to your repository
});
  6. Run it with npm run start
  7. Open http://localhost:4200, open network toolbar and try to log in

Actual behavior

The OPTIONS preflight request to https://sn-local/sn-token/login, returns a 404. Chrome error:

- XMLHttpRequest cannot load https://sn-local/sn-token/login. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 404.

The mentioned header is not present.

There is an another HTTP request to an OData endpoint that tries to fetch contents from the repository. It contains the access-control-allow-methods and access-control-allow-origin headers

If you build the same Angular application and upload the bundle, the login works.

It seems that the login request picks up different options than the request to the OData endpoint in the terms of CORS settings.

tusmester commented 7 years ago

Note to dev: see ODataHandler processrequest method for the correct response to an options request.

borsi commented 7 years ago

Update and migrate the CORS documentation to github.io while we're at it. :) 👍

tusmester commented 7 years ago

Updating/migrating docs to this repo is done, moving to the final github.io is another task.

borsi commented 7 years ago

@herflis pls move it move it