0

Intention

The CORS configuration seems to be valid and works, in a React-App I can easily access the gateway. Access via Postman is also possible, so the apiKey can't cause the problem.

But if I add authentication with apiKey, I get error messages in all browsers. In Chrome:

Issue

OPTIONS https://example-gateway.com/test 401 (Unauthorized)

Access to XMLHttpRequest at 'https://example-gateway.com/test' from origin 'https://example-app.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

What causes this behavior? Does the browser not send the required apiKey with the OPTIONS-CORS request and is therefore blocked?

How can this be solved?

Code

pipelines:
  adminAPI:
    apiEndpoints:
      - testApi
    policies:
      - cors:
          - action:
              origin: [https://example-gateway.com]
              methods: GET,POST,PUT,DELETE,OPTIONS
              preflightContinue: true
              optionsSuccessStatus: 204
              credentials: true
              maxAge: 600
              allowedHeaders:
                - Authorization
              exposedHeaders:
                - Authorization
      - key-auth:
          - action:
              apiKeyHeader: Authorization
              disableHeadersScheme: false
      - proxy:
          - action:
              serviceEndpoint: testBackend
stoniemahonie
  • 321
  • 1
  • 5
  • 13

1 Answers1

0

I think the problem is that the key-auth is returning 401 for the OPTION call for CORS, which is the reason why probably you're receiving such problem.

Most likely you'll be able to resolve this by adding a condition on the key-auth call.

http:
  port: ${EG_HTTP_PORT:-8080}
# https:
#   port: 9999
#   tls: {}
admin: # remove this section to disable admin API
  port: 9876
  host: localhost # use 0.0.0.0 to listen on all IPv4 interfaces
apiEndpoints:
  api:
    host: '*'
serviceEndpoints:
  backend:
    url: 'http://localhost:9876' # btw this is EG admin API
policies:
  - proxy
  - key-auth
  - cors
pipelines:
  adminAPI:
    apiEndpoints:
      - api
    policies:
      - cors:
      - key-auth:
        - condition:
            name: not
            condition:
              name: method
              methods:
                - OPTIONS
        action:
          apiKeyHeader: Authorization
          disableHeadersScheme: false
      - proxy:
          action:
            serviceEndpoint: backend
Vincenzo
  • 1,549
  • 1
  • 9
  • 17
  • Can you please have a look? Another tip would be awesome, thank you! – stoniemahonie Jul 24 '19 at 07:46
  • Thanks for the example. I copied it but still get the error. Have you tested it successfully and are you sure that it works like this? – stoniemahonie Jul 25 '19 at 12:54
  • I did! Are you still facing the issue? That's weird. – Vincenzo Jul 25 '19 at 16:01
  • Okay so then I guess most likely I have some indentation mistakes in my yaml file, even though in the logs are no errors. I will have a look, thank you. – stoniemahonie Jul 28 '19 at 20:00
  • Now it works! It was as suspected an indentation error. As a suggestion to make Express Gateway easier to use: a) Include this example in the documentation, I think this is a common use case b) EG should output errors in the logs if the config doesn't work completely In any case: Thanks for your help and keep up the good work! – stoniemahonie Jul 28 '19 at 21:25