Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPTIONS requests should be allowed without requiring x-api-key #1575

Closed
jcourt562 opened this issue Dec 22, 2021 · 0 comments
Closed

OPTIONS requests should be allowed without requiring x-api-key #1575

jcourt562 opened this issue Dec 22, 2021 · 0 comments

Comments

@jcourt562
Copy link
Contributor

To support direct access to ACA-py ADMIN interface from a browser SPA it is necessary to consider CORS processing.

Currently aiohttp_cors is setup to allow any origin in setup.py. This means that if the --admin-insecure-mode argument is used, a Single Page web Application (SPA) can be served from anywhere and successfully talk to ACA-py.

If the --admin-api-key argument is provided to support minimal security, all methods return a 401 if the x-api-key header is not provided with a matching key and it is not an unprotected path. This is checked by the check_token() method in setup.py.

The problem is that browsers such as CHROME implement CORS using the OPTIONS web method to first check if a non-origin request is allowed. ACA-py explicitly DOES allow these requests through its aiohttp_cors configuration but it trips up because the OPTIONS method first hits the check_token() method which returns a 401 due to OPTIONS never being sent with a x-api-key header.

It seems that the expected approach is to ALLOW OPTIONS methods without requiring any authentication. I am requesting this be supported by ACA-py. There is no way a SPA can configure CHROME to send the same x-api-key value on the preflight OPTIONS method as was specified in the triggering GET/POST/PUT/DELETE method.

jcourt562 added a commit to anonyome/aries-cloudagent-python that referenced this issue Dec 22, 2021
…k when x-api-key is configured

Signed-off-by: john court <[email protected]>
ianco added a commit that referenced this issue Dec 22, 2021
Add fix for #1575 to allow OPTIONS method to work with x-api-key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant