I have a Grape-based API running as a rack application, using rack-cors to allow cross-origin requests, and Warden for authentication. CORS is working as expected, but not in cases where I invoke env['warden'].authenticate. In these cases, I get an "origin not allowed" response.
I believe this is due to the order of the middleware, but I'm relatively new to rack applications. I found some information describing a similar problem with an example of how to make this work in Rails, by forcing the order of the middleware using config.middleware.insert_before Warden::Manager, Rack::Cors do ... but I don't know of a non-Rails equivalent.
The following is a simplified approximation of my config.ru:
require File.expand_path('../application', __FILE__)
use Warden::Manager do |manager|
manager.default_strategies :password
end
use Rack::Cors do
allow do
origins '*'
resource '/*', :headers => :any, :methods => [:get, :post, :options, :put]
end
end
run application
I've tried swapping the order of the use directives, but either way I get same "origin not allowed" response from methods that use warden. Part of my problem is that I'm not clear on what determines the order of the middleware in rack applications.
Is my hunch that the order of the middleware is causing this problem feasible? It seems like I'm missing something fundamental. I'd like to get rack-cors and Warden to play nicely or to find another solution to allow CORS. I tried explicitly sending the Access-Control-Allow-Origin header but Warden seems to wipe that out as well.
