search

aio-libs / aiohttp-cors

CORS support for aiohttp
Apache License 2.0
203 stars 56 forks source link

Authentication middleware prevent CORS to be send correctly #193

Open bmamouri opened 5 years ago

bmamouri commented 5 years ago

I have an authentication middleware. In the middleware if the request method is OPTIONS I am returning the handler intact with the aim that aiohttp-cors handle the preflight request and return the correct response headers. However, the response headers are not being sent correctly by the signals.

It is quite possible that I am doing something wrong in my middleware, and the OPTIONS call need to be handled differently. This is my middleware:

@middleware
async def auth_middleware(request, handler):
    if isinstance(request.match_info.route, SystemRoute):  # eg. 404
        return await handler(request)

    if request.method == hdrs.METH_OPTIONS:
        return await handler(request)

    try:
        request['claims'] = await authenticate(request)
    except ValueError as e:
        raise HTTPUnauthorized(PayloadErrors(e.args[0]))

    return await handler(request)

I am creating the app as following:

def create_app():
    app = Application(middlewares=middlewares)
    setup_cors(app)
    return app

And this is how I am setting up cors:

def setup_cors(app: Application):
    resources = [
        'http://localhost:8100',
        'http://www.example.com',
    ]

    cors = aiohttp_cors.setup(app, defaults={
        resource: aiohttp_cors.ResourceOptions(
            allow_credentials=True,
            expose_headers='*',
            allow_methods='*',
            allow_headers='*',
        ) for resource in resources
    })

    for route in app.router.routes():
        cors.add(route)

However, whenever I make a call I get the following error:

Unhandled exception
Traceback (most recent call last):
  File "/python3.7/site-packages/aiohttp/web_protocol.py", line 398, in start
    await resp.prepare(request)
  File "/python3.7/site-packages/aiohttp/web_response.py", line 299, in prepare
    await request._prepare_hook(self)
  File "/python3.7/site-packages/aiohttp/web_request.py", line 686, in _prepare_hook
    await app.on_response_prepare.send(self, response)
  File "/python3.7/site-packages/aiohttp/signals.py", line 35, in send
    await receiver(*args, **kwargs)
  File "/python3.7/site-packages/aiohttp_cors/cors_config.py", line 171, in _on_response_prepare
    assert hdrs.ACCESS_CONTROL_ALLOW_ORIGIN not in response.headers
AssertionError
Unhandled exception
Traceback (most recent call last):
  File "/python3.7/site-packages/aiohttp/web_protocol.py", line 398, in start
    await resp.prepare(request)
  File "/python3.7/site-packages/aiohttp/web_response.py", line 299, in prepare
    await request._prepare_hook(self)
  File "/python3.7/site-packages/aiohttp/web_request.py", line 686, in _prepare_hook
    await app.on_response_prepare.send(self, response)
  File "/python3.7/site-packages/aiohttp/signals.py", line 35, in send
    await receiver(*args, **kwargs)
  File "/python3.7/site-packages/aiohttp_cors/cors_config.py", line 171, in _on_response_prepare
    assert hdrs.ACCESS_CONTROL_ALLOW_ORIGIN not in response.headers
AssertionError
jaideepkekre commented 4 years ago

@bmamouri I too have the same issue. A dirty fix was to move the validation of the auth request headers to each route, making them call a common validation function. But this issue renders the aiohttp middleware component unusable with this library.

Kwieeciol commented 1 year ago

Hello, I still have this issue.

olwethumlimi commented 4 months ago

the issue is here Path : site-packages\aiohttp_cors\cors_config.py Line: 171 : assert hdrs.ACCESS_CONTROL_ALLOW_ORIGIN not in response.headers

I had to comment this line to get it working