CORS + API Auth breaks

[ironhacker]

I downloaded and compiled main to get the new CORS support and it works OK until I enable API Auth. Either setting works on its own, but both combined fail with a 401 Unauthorized on the preflight request. If I make the same GET request from Postman (no preflight) with API Key it's good.

export ENABLE_AUTH=true
export AUTH_DATA_SOURCE=file://auth.yaml (abbreviated here)
export AUTH_PROVIDER=apiKey (this seems required now - defaults to basic auth)

CORS + ENABLE_AUTH=false (this works fine)

CORS + ENABLE_AUTH=true (works in Postman, but fails in Browser with 401 in preflight)

My auth file looks like this. Aside: this seems confusing. Turning on auth should secure all endpoints by default. I have no idea what's leaking.

name: db2rest-security

resourceRoles:
  - resource: "/v1/rdbms/db/**"
    method: get
    roles:
      - admin
  - resource: "/v1/rdbms/db/**"
    method: post
    roles:
      - admin

apiKeys:
  - key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    roles: [admin]
    active: true

Do I have a configuration issue? FYI I tried adding options explicitly - didn't help.

[kdhrubo]

There are some issues with auth #848

You will hear back from us soon.

[kdhrubo]

@ironhacker able to replicate with a simple vue app

[kdhrubo]

The pre-flight request is getting blocked by Auth filter.
The CORS problem has to be solved by configuring the CORSFilter with a higher priority than the auth filter @AmeyaKulkarni2001

[AmeyaKulkarni2001]

Hi,
i understand, let me look into this

[kdhrubo]

Solution outline

1. Use CORS Filter - https://docs.spring.io/spring-framework/reference/web/webmvc-cors.html#mvc-cors-filter
2. Javadoc - https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/CorsFilter.html
3. Ensure this filter is only created if CORS is enabled (new parameter).
4. This filter should have higher priority than Auth filter.
5. The configuration should look like this:

cors:
  enabled : true
  mappings: 
     - mapping: /actor/**
       allowedOrigin: http://localhost:3000 # this should not be *
       allowedHeader: *
       allowedMethod: *
    .... more mappings
       

[AmeyaKulkarni2001]

This bug has been fixed in the latest release, can we close this issue now?

[kdhrubo]

Yes go ahead

…

On Sun, Mar 9, 2025, 5:50 AM Ameya Kulkarni ***@***.***> wrote: This bug has been fixed in the latest release, can we close this issue now? — Reply to this email directly, view it on GitHub <#863 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAISPRDWYLY2EL2ULE3I7BL2TQMF7AVCNFSM6AAAAABYBOFGJKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMBYG44TGOJRGI> . You are receiving this because you were assigned.Message ID: ***@***.***> [image: AmeyaKulkarni2001]*AmeyaKulkarni2001* left a comment (9tigerio/db2rest#863) <#863 (comment)> This bug has been fixed in the latest release, can we close this issue now? — Reply to this email directly, view it on GitHub <#863 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAISPRDWYLY2EL2ULE3I7BL2TQMF7AVCNFSM6AAAAABYBOFGJKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMBYG44TGOJRGI> . You are receiving this because you were assigned.Message ID: ***@***.***>

[AmeyaKulkarni2001]

It seems that I do not have permission to close a issue, probably cause I have not created it @ironhacker or @kdhrubo could you close this issue?

Also should the documentation also be updated for the new parameter introduced and for how the CORS is now used?

[kdhrubo]

Yes doc has to be updated thats pending.

@ironhacker can you pls check the latest release and confirm this is resolved for you.