authenticate_user! overrides other Middleware response headers

[JeanMertz]

I've been using cyu/rack-cors to provide access my API through XHR requests. This returns the following headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, PUT, CREATE, DELETE
Access-Control-Allow-Origin:http://app.mydomain.dev
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000

However, as soon as I start authenticating the backend using devise_oauth2_providable with :authenticate_user!, the CORS headers are lost and I can no longer access my API:

XMLHttpRequest cannot load http://api.mydomain.dev/projects.
Origin http://app.mydomain.dev is not allowed by Access-Control-Allow-Origin.

(no response-header is returned and the request simply stops with Status showing as canceled)

Could it be that devise_oauth2_providable overrides all previous set headers and therefor the cors headers are no longer sent back? And if so, I couldn't find anything doing this in the gem source, so should I be looking at nov/rack-oauth2 for the problem?

[JeanMertz]

Actually, looking further into this issue, I think this is related to the fact that authenticate_user! returns 401 restricted access because of issues in my app with authenticating. But even so, shouldn't it still return the CORS headers? Because now, the server logs show:

Started GET "/projects" for 127.0.0.1 at 2012-04-20 11:06:07 +0200
[11:06:07] [INFO]   [api] Processing by Api::V1::ProjectsController#index as JSON
[11:06:07] [INFO]   [api] Completed 401 Unauthorized in 0ms

While the client shows the CORS error, because no headers are returned.

[wireframe]

it depends on the order of rack's execution chain. can you dump your middleware chain to see if your rack-cors is inserted before the devise plugin?

[JeanMertz]

Thanks. I solved the issue together with @nov here: nov/rack-oauth2#18