Does not work with Flask-Security login

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask

https://flask-cors.readthedocs.io/en/latest/index.html

MIT License

879 stars 139 forks source link

Does not work with Flask-Security login #191

Closed suederade closed 7 years ago

suederade commented 7 years ago

As the title says, this is not working to allow the Flask-Security login POST to work.

corydolphin commented 7 years ago

Thanks for the issue! Can you provide more information? What is your configuration, and a sample request and response.

Thanks, ,946

suederade commented 7 years ago

app = Flask(__name__)
app.config.from_object(config[os.getenv('APP_CONFIG', 'development')])
app.secret_key = 'super secret key'

CORS(app)

db = SQLAlchemy(app)
ma = Marshmallow(app)

from app.models import User, Role

user_datastore = SQLAlchemyUserDatastore(db, User, Role)
security = Security(app, user_datastore)

from .api_v1 import api as api_v1_blueprint
app.register_blueprint(api_v1_blueprint, url_prefix='/test')

I am sending a post to "x.x.x.x:3333/login" (which is flask-security's built in login that sets current user and allows decorators, etc.), and I get a Cross Origin error.

corydolphin commented 7 years ago

Thanks for the details!

Since you are submitting cookies cross origin, you need to ensure that supports_credentials=True. Please see this short snippet from the docs: http://flask-cors.corydolphin.com/en/latest/api.html#using-cors-with-cookies

Will you let me know if that fixes things for you, and if you have any suggestions for how that could be made clearer? If there is somewhere in the README you expected it, but did not find it, would you be willing to make a pull request to update it?

Thanks, Cory

suederade commented 7 years ago

So the adding supports_credentials=True only allows it to work if you set SESSION_COOKIE_HTTPONLY=False which I'm not sure I understand. If I leave it to True then the login then returns a GET 302 that doesn't actually hit the server, then does the actual POST and also get a 302.

I also am having a problem where I'm changing origins="*" and I'm still getting Access-Control-Allow-Origin:http://web.localhost.com:1206 in the pre-flight request.

Once I add @roles_accepted from flask-security, it breaks again giving me this error:

XMLHttpRequest cannot load http://api.localhost.com:8088/ws/v1/sales-orders. Redirect from 'http://api.localhost.com:8088/ws/v1/sales-orders' to 'http://web.localhost.com:1206/' has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.

Is this just because it doesn't have the role required and the errors just don't come back very useful?

corydolphin commented 7 years ago

Hey Steven,

Sorry for the delay here. Make sure you are correctly setting the XHR params.

Here's an example static page making an XHR and a a flask-login server.

Archive.zip