OPTIONS requests should be allowed without requiring Authorization token

hyperledger / aries-cloudagent-python

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments.

https://wiki.hyperledger.org/display/aries

Apache License 2.0

407 stars 511 forks source link

OPTIONS requests should be allowed without requiring Authorization token #1989

Closed rpobulic closed 1 year ago

rpobulic commented 1 year ago

On current main, similar to #1575 , but while using multitenant. log: Handler error with exception: Unauthorized 10.0.0.231 [26/Oct/2022:10:03:31 +0000] "OPTIONS /connections HTTP/1.1" 401 178 "https://...

rpobulic commented 1 year ago

I made a successful fix in aries_cloudagent/admin/server.py in my local rep:

            # base wallet is not allowed to perform ssi related actions.
            # Only multitenancy and general server actions
            if (
                not authorization_header
                and not is_multitenancy_path
                and not is_server_path
                and not is_unprotected_path(path)
                and not base_limited_access_path
                and not (request.method == "OPTIONS")# CORS fix
            ):
                raise web.HTTPUnauthorized()

Tested for several days, no problems. If this logic is OK, can it be fixed in main?

swcurran commented 1 year ago

@TimoGlastra @ianco -- thoughts on this one? Should that be allowed?

ianco commented 1 year ago

Seems ok to me. @rpobulic can you provide a PR?

rpobulic commented 1 year ago

I am not a Python programmer, so I am not contributing to aca-py, thus I am not setup for providing a PR. Please, can you just copy that one line and make a PR?

ianco commented 1 year ago

FYI taking a look at this now ...

ianco commented 1 year ago

@rpobulic the fix is in the main branch

rpobulic commented 1 year ago

Works OK now, thank you!