HTTP API is unable to handle CORS preflight requests

Question

HTTP API is unable to handle CORS preflight requests

cdauphinee opened this issue 7 years ago · 2 comments

Summary: Toxy's HTTP API doesn't accept well formed CORS preflight requests. It encounters an error unless both a Content-Type header and body are present, neither of which should be in a CORS preflight request. This essentially makes CORS support non-functional.

Additionally, if authorization is enabled, it attempts to validate the Authorization or API-Key headers on the preflight request.

I have a Toxy server set up as such:

var toxy = require('toxy');

var admin = toxy.admin({ cors: true, apiKey: 'secret' });
var proxy = toxy();

proxy.forward('http://api.preview.mydomain.com');
proxy.all('/*');
proxy.listen(80);

admin.manage(proxy);
admin.listen(3000);

When I try to send an XHR to the HTTP API from my browser, it sends this preflight:

OPTIONS http://toxy.preview.mydomain.com:3000/ HTTP/1.1
Host: toxy.preview.mydomain.com:3000
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost:27614
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Access-Control-Request-Headers: API-Key
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

And I receive this response:

HTTP/1.1 415 Unsupported Media Type
Date: Wed, 29 Nov 2017 22:51:01 GMT
Server: toxy (admin)
Content-Length: 0
Connection: keep-alive

If I copy the preflight request and send it with an additional Content-Type: application/json header and receive this error:

HTTP/1.1 500 Internal Server Error
Date: Wed, 29 Nov 2017 22:52:32 GMT
Server: toxy (admin)
Content-Length: 35
Connection: keep-alive

{"error":"Unexpected end of input"}

I change the preflight request again, to contain a body of {}, and receive yet another error:

HTTP/1.1 401 Unauthorized
Date: Wed, 29 Nov 2017 22:52:51 GMT
Server: toxy (admin)
Content-Length: 0
Connection: keep-alive

Finally, I add the API-Key: secret header, and it finally accepts the preflight request (which, at this point, is very malformed):

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: localhost
Date: Wed, 29 Nov 2017 22:53:42 GMT
Server: toxy (admin)
Content-Length: 0
Connection: keep-alive

Answer 1 · 2017-11-30T00:32:11.000Z

Try upgrading toxy:

npm i toxy@v0.3.15

Answer 2 · 2017-11-30T21:58:19.000Z

That fixed it, thank you!