301 redirects and CORS issues

lynndylanhurley / devise_token_auth

Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth.

Do What The F*ck You Want To Public License

3.55k stars 1.14k forks source link

301 redirects and CORS issues #775

Open jakeleboeuf opened 7 years ago

jakeleboeuf commented 7 years ago

I'm getting the following error making request :(

I'm following guidelines set in the fetch api spec... any clue how to get around this?

XMLHttpRequest cannot load http://localhost:3000/auth/facebook?code={thecode} Redirect from 'http://localhost:3000/auth/facebook?code=[thecode]' to 'http://localhost:3000/omniauth/facebook?code=A[thecode]&resource_class=User' has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.

# config/initializers/cors.rb
Rails.application.config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
  allow do
    origins '*'

    resource '*',
      headers: :any,
      resource: '*',
      expose:  ['access-token', 'expiry', 'token-type', 'uid', 'client'],
      methods: [:get, :post, :put, :patch, :delete, :options, :head]
  end
end

deric commented 7 years ago

You should need just rack-cors gem. Try to move the initialization to config/environments/development.rb:

 config.middleware.insert_before 0, Rack::Cors do
    allow do
      origins '*'
      resource '*',
          :headers => :any,
          :methods => [:get, :post, :delete, :put, :options],
          :expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
          :max_age => 0
    end
  end

Moreover enabling this in production is quite dangerous.

ghost commented 7 years ago

I'm having this issue too.

# config/initializers/cors.rb
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'
    resource '*',
      headers: :any,
      methods: [:get, :post, :put, :patch, :delete, :options, :head]
  end
end

I've also tried the one mentioned above and no luck. Any other suggestions?

Thanks!

hoggworks commented 7 years ago

If anyone has a solution to this, I'm also experiencing it. It isn't holding up my development, but it'd be handy to have a workaround. I've seen references to setting the headers: to any, as it is in the code pasted above, but that doesn't seem to be fixing anything.

ariffmunshi commented 7 years ago

Hey, anyone found a solution to this? Seems like all my apps in development/production started facing this issue a couple of days ago. Have tried with all sorts of CORS settings but to no avail. In my logs it just shows:

INFO -- omniauth: (facebook) Callback phase initiated.
ERROR -- omniauth: (facebook) Authentication failure! invalid_credentials: OAuth2::Error,

CoSNaYe commented 7 years ago

+1, I also encounter this problem.

Redirect from 'https://www.facebook.com/v2.6/dialog/ ...' to 
'https://www.facebook.com/login.php?...' has been blocked by CORS policy: 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'null' is therefore not allowed access.