Closed suederade closed 7 years ago
Thanks for the issue! Can you provide more information? What is your configuration, and a sample request and response.
Thanks, ,946
app = Flask(__name__)
app.config.from_object(config[os.getenv('APP_CONFIG', 'development')])
app.secret_key = 'super secret key'
CORS(app)
db = SQLAlchemy(app)
ma = Marshmallow(app)
from app.models import User, Role
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
security = Security(app, user_datastore)
from .api_v1 import api as api_v1_blueprint
app.register_blueprint(api_v1_blueprint, url_prefix='/test')
I am sending a post to "x.x.x.x:3333/login" (which is flask-security's built in login that sets current user and allows decorators, etc.), and I get a Cross Origin error.
Thanks for the details!
Since you are submitting cookies cross origin, you need to ensure that supports_credentials=True. Please see this short snippet from the docs: http://flask-cors.corydolphin.com/en/latest/api.html#using-cors-with-cookies
Will you let me know if that fixes things for you, and if you have any suggestions for how that could be made clearer? If there is somewhere in the README you expected it, but did not find it, would you be willing to make a pull request to update it?
Thanks, Cory
So the adding supports_credentials=True
only allows it to work if you set SESSION_COOKIE_HTTPONLY=False
which I'm not sure I understand. If I leave it to True
then the login then returns a GET 302
that doesn't actually hit the server, then does the actual POST
and also get a 302
.
I also am having a problem where I'm changing origins="*"
and I'm still getting Access-Control-Allow-Origin:http://web.localhost.com:1206
in the pre-flight request.
Once I add @roles_accepted
from flask-security, it breaks again giving me this error:
XMLHttpRequest cannot load http://api.localhost.com:8088/ws/v1/sales-orders. Redirect from 'http://api.localhost.com:8088/ws/v1/sales-orders' to 'http://web.localhost.com:1206/' has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.
Is this just because it doesn't have the role required and the errors just don't come back very useful?
Hey Steven,
Sorry for the delay here. Make sure you are correctly setting the XHR params.
Here's an example static page making an XHR and a a flask-login server.
As the title says, this is not working to allow the Flask-Security login POST to work.