gothinkster / aspnetcore-realworld-example-app

ASP.NET Core backend implementation for RealWorld
https://realworld.io
MIT License
1.94k stars 549 forks source link

CORS and pre-flight OPTIONS requests. #63

Open VictorioBerra opened 5 years ago

VictorioBerra commented 5 years ago

Are OPTIONS action needed for CORS pre-flight requests?

See here: https://github.com/Dotnet-Boxed/Templates/blob/master/Source/Content/ApiTemplate/Controllers/CarsController.cs#L24-L64

        /// <summary>
        /// Returns an Allow HTTP header with the allowed HTTP methods.
        /// </summary>
        /// <returns>A 200 OK response.</returns>
        [HttpOptions]
        [SwaggerResponse(StatusCodes.Status200OK, "The allowed HTTP methods.")]
        public IActionResult Options()
        {
            this.HttpContext.Response.Headers.AppendCommaSeparatedValues(
                HeaderNames.Allow,
                HttpMethods.Get,
                HttpMethods.Head,
                HttpMethods.Options,
                HttpMethods.Post);
            return this.Ok();
        }

        /// <summary>
        /// Returns an Allow HTTP header with the allowed HTTP methods for a car with the specified unique identifier.
        /// </summary>
        /// <param name="carId">The cars unique identifier.</param>
        /// <returns>A 200 OK response.</returns>
        [HttpOptions("{carId}")]
        [SwaggerResponse(StatusCodes.Status200OK, "The allowed HTTP methods.")]
        public IActionResult Options(int carId)
        {
            this.HttpContext.Response.Headers.AppendCommaSeparatedValues(
                HeaderNames.Allow,
                HttpMethods.Delete,
                HttpMethods.Get,
                HttpMethods.Head,
                HttpMethods.Options,
                HttpMethods.Patch,
                HttpMethods.Post,
                HttpMethods.Put);
            return this.Ok();
        }
VictorioBerra commented 5 years ago

I think maybe they are only needed for swagger doc.

VictorioBerra commented 5 years ago

Wait no... I think you have to manually have this to respond to OPTIONS requests and that is not built into MVC. Why dont we have these?

adamhathcock commented 5 years ago

Browsers do preflight checks but it wasn't part of the API spec (or I didn't see it when I originally did the work). PRs welcome.

VictorioBerra commented 5 years ago

Do we have help-wanted or up-for-grabs labels?

https://github.com/aspnet/Docs/issues/7268#issuecomment-446595339