You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To support direct access to ACA-py ADMIN interface from a browser SPA it is necessary to consider CORS processing.
Currently aiohttp_cors is setup to allow any origin in setup.py. This means that if the --admin-insecure-mode argument is used, a Single Page web Application (SPA) can be served from anywhere and successfully talk to ACA-py.
If the --admin-api-key argument is provided to support minimal security, all methods return a 401 if the x-api-key header is not provided with a matching key and it is not an unprotected path. This is checked by the check_token() method in setup.py.
The problem is that browsers such as CHROME implement CORS using the OPTIONS web method to first check if a non-origin request is allowed. ACA-py explicitly DOES allow these requests through its aiohttp_cors configuration but it trips up because the OPTIONS method first hits the check_token() method which returns a 401 due to OPTIONS never being sent with a x-api-key header.
It seems that the expected approach is to ALLOW OPTIONS methods without requiring any authentication. I am requesting this be supported by ACA-py. There is no way a SPA can configure CHROME to send the same x-api-key value on the preflight OPTIONS method as was specified in the triggering GET/POST/PUT/DELETE method.
The text was updated successfully, but these errors were encountered:
jcourt562
added a commit
to anonyome/aries-cloudagent-python
that referenced
this issue
Dec 22, 2021
To support direct access to ACA-py ADMIN interface from a browser SPA it is necessary to consider CORS processing.
Currently aiohttp_cors is setup to allow any origin in setup.py. This means that if the --admin-insecure-mode argument is used, a Single Page web Application (SPA) can be served from anywhere and successfully talk to ACA-py.
If the --admin-api-key argument is provided to support minimal security, all methods return a 401 if the x-api-key header is not provided with a matching key and it is not an unprotected path. This is checked by the check_token() method in setup.py.
The problem is that browsers such as CHROME implement CORS using the OPTIONS web method to first check if a non-origin request is allowed. ACA-py explicitly DOES allow these requests through its aiohttp_cors configuration but it trips up because the OPTIONS method first hits the check_token() method which returns a 401 due to OPTIONS never being sent with a x-api-key header.
It seems that the expected approach is to ALLOW OPTIONS methods without requiring any authentication. I am requesting this be supported by ACA-py. There is no way a SPA can configure CHROME to send the same x-api-key value on the preflight OPTIONS method as was specified in the triggering GET/POST/PUT/DELETE method.
The text was updated successfully, but these errors were encountered: