-1

I have a front with Angular 4 and to connect I'm using phpCAS which I put in a folder /backend at the same place as my front.

In my front, where my index.html from Angular is, there is a index.php file that is launched first and that includes index.html after calling my authentification.

The authentification then works as intended, but whenever I want to disconnect, I'm calling my backend with the following :

disconnect button in front (angular)

logoutCerbere() {
    return this._http.get("./backend/logout.php").subscribe(data => {
       console.log("Disconnected")
   })
}

logout.php

require_once 'init.inc.php';
if (phpCAS::isAuthenticated()) {
    phpCAS::logout();
    session_destroy();
    session_unset();
} else {
    header('HTTP/1.0 401 Unauthorized');
    echo 'HTTP/1.0 401 Unauthorized';    
}

init.inc.php

<?php
require_once 'CAS-1.3.6/CAS.php';
$CAS_HOST = '*******/****';
$CAS_CONTEXT = '/cas/public/';

//$cas_server_ca_cert_path = '/path/to/cachain.pem';
//phpCAS::setCasServerCACert($cas_server_ca_cert_path);

phpCAS::client(CAS_VERSION_2_0, $CAS_HOST, 443, $CAS_CONTEXT);
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
?>

I get a CORS error saying that the "Same Origin Policy disallows reading the remote ressource at ... (Reason: CORS header 'Access-Control-Allow-Origin' missing)"

What I don't understand is that I'm calling this from my server (since I'm asking to get my php file and that my connection is working exactly the same way) so there shouldn't be a CORS request.

What am I missing there ?

Victor Jozwicki
  • 700
  • 2
  • 10
  • 24
  • "What am I missing there ?" - The error message will tell you which URL you don't have permission to access. The Ajax **is** making a request to that URL. The Network tab in the developer tools will show you all the requests and responses leading up to it. – Quentin Jun 28 '19 at 07:21
  • It says I don't have access to "***/cas/public/logout". Which doesn't make sens since I have access to "/cas/public/login" ... – Victor Jozwicki Jun 28 '19 at 07:29
  • I bet *** is different between those URLs. The error message should tell you what the two origins are so you can see how they are different. – Quentin Jun 28 '19 at 07:30
  • I just verified (to be sure) it is unfortunately not the case ... – Victor Jozwicki Jun 28 '19 at 07:39
  • Quote the complete error message (and the complete URL of the current page) – Quentin Jun 28 '19 at 07:43
  • "Blocage d'une requête multiorigines (Cross-Origin Request) : la politique "Same Origin" ne permet pas de consulter la ressource distante située sur https://authentification.din.developpement-durable.gouv.fr/cas/public/logout. Raison : l'en-tête CORS "Access-Control-Allow-Origin" est manquant. – Victor Jozwicki Jun 28 '19 at 07:53
  • and the complete URL of the current page? – Quentin Jun 28 '19 at 07:57
  • "*****.dir-est.**.rie.gouv.fr" and it is authorized by the government's CAS – Victor Jozwicki Jun 28 '19 at 08:08
  • That's definitely a different origin. And the browser is clear that there there is no `Access-Control-Allow-Origin` that would grant permission to JS to read it. So either you aren't expecting the browser to request that URL and should figure out why, or the server is not configured to use CORS for that URL and should be (and you should figure out why). – Quentin Jun 28 '19 at 08:11
  • I had the same CORS problem for connection at first where I wanted to make an http request from my front to the server but I corrected that by putting everything inside a .php file (meaning server). Because of that I was able to connect properly. Now, using the same exact system but for logout, I get a CORS. That doesn't make sense to me, unless my index.php somehow escapted and it is using the index.html (angular) file. But then again, I'm displaying the user's mail with phpCAS::getUser() and it works correctly (request on user.php that has phpCAS::getUser() ). – Victor Jozwicki Jun 28 '19 at 08:19
  • @Quentin I get it now. The first time the authentification is made server side before the include of `index.html`. Once it is included, the getUser works because it's simply a `$this->_user` but when I do `phpCAS::logout()` it's making an HTTP request to the CAS server thus enabling the CORS rules to get in. – Victor Jozwicki Jun 28 '19 at 13:02

1 Answers1

0

What I was missing is :

  • It is indeed PHP before the include so there is no CORS, but once we're in the include, it's html/front domain

  • The getUser is simply retrieving the data from a local storage, therefore no CORS is involved

  • When I wanted to make a disconnect request, the request was made front side meaning CORS would intervene.

I worked around it by simply putting a <a href="backend/logout.php">Disconnect</a>.

That means that the PHP is run server side and no CORS will be involved.

Victor Jozwicki
  • 700
  • 2
  • 10
  • 24