Restify Cross Origin Basic Auth with AJAX

Question

HTTP Basic Auth is working great when calling from my REST client. However, the app that is consuming the API is built w/ Backbone.

We tried overriding Backbone sync to pass along the Authorization header but it is failing on an options call -- from what I understand a preflight call to see if cross origin calls are allowed. And it's important to note that this is not unique to Backbone, this happens with any cross-origin AJAX call that has modified headers.

Response Screenshot: http://cl.ly/image/0j2v240A0p2f

I've also tried modifying the fullResponse (full_response.js) plugin bundled w/ Restify (by adding Authorization to the ALLOW_HEADERS array.

var ALLOW_HEADERS = [
    'Accept',
    'Accept-Version',
    'Content-Length',
    'Content-MD5',
    'Content-Type',
    'Date',
    'X-Api-Version',
    'X-Response-Time',
    'Authorization'
].join(', ');

This is one of the few things left before being able to push to production. Any thoughts?

Answer 1

Last version of restify implement natively CORS... so you can add something like that (fullReponse seems to be needed when you use CORS:

shoorkServer.use(restify.CORS());
shoorkServer.use(restify.fullResponse());

If you use Backbone or jquery you should modify server side like that :

shoorkServer.use(restify.CORS( {credentials: true} ));
shoorkServer.use(restify.fullResponse());

And use credentials with jquery :

$.ajaxSetup({
    xhrFields: {
       withCredentials: true
    }
});

Answer 2

You need to enable cross origin resource sharing on your server: http://enable-cors.org/