Authorization / authentication of options requests

[Vidarls]

I found (after some serious one-on-one time with my fiddler) that I needed to disable authorization / authentication of OPTIONS requests. Are there any valid usecases where you would want to have authentication on OPTIONS requests. It seems from this: https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 that browsers will strip away authorization headers for the pre-flight OPTIONS request. If not, might it be a good Idea that Freya excludes OPTIONS requests from the authenticated / allowed decisions?

[kolektiv]

Hmmm, that's an interesting point. The honest answer is "I'm not sure"! OPTIONS requests do have wider uses than simply CORS, although that is the most common use case now I would imagine. I can imagine situations where securing them is needed. I'm hesitant to remove the possibility of securing them because of that. It does mean an extra conditional on request method on the auth logic though I'll admit. I think on balance leaving the auth there is probably "safest" but I think there should certainly be some documentation and a handy code snippet to avoid people having to discover the issue you've found!

I've created an issue (#185) for that.

[Vidarls]

I agree with regards to not removing the possibility.

But If the most common use case requires most people to create extra ceremony code there might be a case for some defaults that can be overridden?

[Vidarls]

I really appreciate that I now have a lot more understanding of the http protocol (the RFCs are quite well written and easy to understand), but I wish that Freya would have gently pushed me in the correct direction rather than give me the software version of RTFM :smirk:

[kolektiv]

Haha, that is a fair comment. Documentation around "how and why" to configure machines is absolutely needed. A recipe style approach combined with some deeper dives is my current thinking as to a possible way to do that - but I would be setting myself up for looking silly if I promised when! I hope "soon".

In terms of defaults, I'll definitely have a think about whether something reasonably neat is possible for that, without adding too much complexity/extra decisions.

[Vidarls]

I might be able to contribute to the docs. I am starting to feel quite comfortable with the basics. My team will need docs anyway, so I see no problem in crafting the non-domain-specifics in such a way that it can be incorporated into the Freya docs.

Currently my plan is as follows:

• Finish caching strategies and implementations.
• Implement hypermedia (ref #62 )
• Change my client to actually use hypermedia
• Developer docs

Timeframe is always difficult to say anything about, but I'll contribute back when I can :smile:

[kolektiv]

Any doc contributions will be very happily received! When/if you get time for it, that would be great - if you don't get time for it, that's also fine, your engagement is appreciated :smile:

[kolektiv]

Closing this one for now, as the docs (whoever gets there first!) are now tracked as #185.