HTTP API is unable to handle CORS preflight requests
cdauphinee opened this issue · 2 comments
Summary: Toxy's HTTP API doesn't accept well formed CORS preflight requests. It encounters an error unless both a Content-Type
header and body are present, neither of which should be in a CORS preflight request. This essentially makes CORS support non-functional.
Additionally, if authorization is enabled, it attempts to validate the Authorization
or API-Key
headers on the preflight request.
I have a Toxy server set up as such:
var toxy = require('toxy');
var admin = toxy.admin({ cors: true, apiKey: 'secret' });
var proxy = toxy();
proxy.forward('http://api.preview.mydomain.com');
proxy.all('/*');
proxy.listen(80);
admin.manage(proxy);
admin.listen(3000);
When I try to send an XHR to the HTTP API from my browser, it sends this preflight:
OPTIONS http://toxy.preview.mydomain.com:3000/ HTTP/1.1
Host: toxy.preview.mydomain.com:3000
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost:27614
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Access-Control-Request-Headers: API-Key
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
And I receive this response:
HTTP/1.1 415 Unsupported Media Type
Date: Wed, 29 Nov 2017 22:51:01 GMT
Server: toxy (admin)
Content-Length: 0
Connection: keep-alive
If I copy the preflight request and send it with an additional Content-Type: application/json
header and receive this error:
HTTP/1.1 500 Internal Server Error
Date: Wed, 29 Nov 2017 22:52:32 GMT
Server: toxy (admin)
Content-Length: 35
Connection: keep-alive
{"error":"Unexpected end of input"}
I change the preflight request again, to contain a body of {}
, and receive yet another error:
HTTP/1.1 401 Unauthorized
Date: Wed, 29 Nov 2017 22:52:51 GMT
Server: toxy (admin)
Content-Length: 0
Connection: keep-alive
Finally, I add the API-Key: secret
header, and it finally accepts the preflight request (which, at this point, is very malformed):
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Allow-Origin: localhost
Date: Wed, 29 Nov 2017 22:53:42 GMT
Server: toxy (admin)
Content-Length: 0
Connection: keep-alive
Try upgrading toxy
:
npm i toxy@v0.3.15
That fixed it, thank you!