Amend nginx/vouch handler to not validate OPTIONS requests
jbwtan1 opened this issue · 7 comments
Expected behavior
IIRC when a browser performs an OPTIONS request as part of a CORS request, it intentionally does not send a vouch cookie. I believe that vouch will still try and validate the request and check if the jwt is present so the OPTIONS request will always fail.
A clear and concise description of what you expected to happen.
I expect vouch to allow OPTIONS requests to the application (where it should respond regardless of whether user is logged in or not)
If you're running into OPTIONS issues I think the best place to handle that is Nginx...
auth_request /validate;
location /validate {
# for CORS preflight requests, just return 200 since a preflight request does not contain a cookie
# https://stackoverflow.com/questions/41760128/cookies-not-sent-on-options-requests
if ($request_method = 'OPTIONS') {
return 200;
}
proxy_pass http://vouch.yourdomain.com/validate;
proxy_set_header Host $http_host;
# these return values are used by the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
Thanks @bnfinet . Agree nginx sounds like a good place to handle this. Want me to create a PR to update the example nginx config? I imagine that most users would want this check in case an OPTIONS request ever hits the reverse proxy. so could be sensible to add your if-request-equals-options check as an uncommented example?
@jbwtan1 I've added a link to this issue from the README
Thanks for making VP better!
I added this but still get an error. It is caused when the redirect link is hit when the tab is left open and probably the cookies expire after a period. Added the following to /validate
:
# for CORS preflight requests, just return 200 since a preflight request does not contain a cookie
# https://stackoverflow.com/questions/41760128/cookies-not-sent-on-options-requests
if ($request_method = 'OPTIONS') {
return 200;
}
But still get something like:
Access to fetch at 'https://auth.y.z/zzz' (redirected from 'https://x.y.z/a/b') from origin 'https://x.y.z' has been blocked by CORS policy. Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
Any clues what I could be missing?
@snowPu no idea. Happy to help but I need more info.
Could you please put your full nginx config for that app into a gist.
@snowPu that config looks good to my eyes. I'm not sure why it's not responding with 200 OK
. How very peculiar.
You could add additional logging with...
# in the `http{}` stanza
log_format vouchlog "$time_local $remote_addr $request $request_method $http_referer $upstream_http_x_vouch_user $auth_resp_success $status";
and then
# in `server{}`
location / {
...
access_log /var/log/nginx/vouch.log vouchlog;
}
That might tease out whatever is going on.