masipcat
commented
3 years ago This is related to this https://github.com/plone/guillotina/pull/1004
Also, maybe we could change the 401 to 403 (Forbidden)
Open masipcat opened 3 years ago
masipcat
commented
3 years ago This is related to this https://github.com/plone/guillotina/pull/1004
Also, maybe we could change the 401 to 403 (Forbidden)
vangheem
commented
3 years ago We had this very long ago but thought it was a bad idea to have default values that were insecure. Maybe the cookie cutter that creates settings makes this setting explicit?
masipcat
commented
3 years ago We had this very long ago but thought it was a bad idea to have default values that were insecure.
oh ok
Maybe the cookie cutter that creates settings makes this setting explicit?
yes, that's the case https://github.com/plone/guillotina/blob/master/guillotina/cookiecutter/application/%7B%7Bcookiecutter.package_name%7D%7D/config.yaml#L23-L25
vangheem
commented
3 years ago Maybe have the default insecure with a logging message warning about it?
masipcat
commented
3 years ago Sounds good to me! I'll open a PR later
The idea is to make easier to start developing with guillotina and a frontend. Right now guillotina returns a 401 (Unauthorized) when origin is not allowed, and because this is returned from a OPTIONS it's not possible to provide a nice message to distinguish the cors error from a authentication error.
I think most frameworks doesn't have CORS enabled by default and probably the CORS would be managed by a reverse proxy when guillotina is deployed in production, so I think making this opt-in would be better.
What do you think?