Amend nginx/vouch handler to not validate OPTIONS requests

Question

Amend nginx/vouch handler to not validate OPTIONS requests

jbwtan1 opened this issue 4 years ago · 7 comments

Expected behavior
IIRC when a browser performs an OPTIONS request as part of a CORS request, it intentionally does not send a vouch cookie. I believe that vouch will still try and validate the request and check if the jwt is present so the OPTIONS request will always fail.

A clear and concise description of what you expected to happen.
I expect vouch to allow OPTIONS requests to the application (where it should respond regardless of whether user is logged in or not)

Answer 1 · 2020-02-19T18:32:48.000Z

If you're running into OPTIONS issues I think the best place to handle that is Nginx...

    auth_request /validate;

    location /validate {

      # for CORS preflight requests, just return 200 since a preflight request does not contain a cookie
      # https://stackoverflow.com/questions/41760128/cookies-not-sent-on-options-requests
      if ($request_method = 'OPTIONS') {
        return 200;
      }
      proxy_pass http://vouch.yourdomain.com/validate;
      proxy_set_header Host $http_host;

      # these return values are used by the @error401 call
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

    }

Answer 2 · 2020-02-20T10:25:54.000Z

Thanks @bnfinet . Agree nginx sounds like a good place to handle this. Want me to create a PR to update the example nginx config? I imagine that most users would want this check in case an OPTIONS request ever hits the reverse proxy. so could be sensible to add your if-request-equals-options check as an uncommented example?

Answer 3 · 2020-02-20T20:28:43.000Z

@jbwtan1 I've added a link to this issue from the README

Thanks for making VP better!

Answer 4 · 2022-12-06T15:53:41.000Z

I added this but still get an error. It is caused when the redirect link is hit when the tab is left open and probably the cookies expire after a period. Added the following to /validate:

# for CORS preflight requests, just return 200 since a preflight request does not contain a cookie
      # https://stackoverflow.com/questions/41760128/cookies-not-sent-on-options-requests
      if ($request_method = 'OPTIONS') {
        return 200;
      }

But still get something like:

Access to fetch at 'https://auth.y.z/zzz' (redirected from 'https://x.y.z/a/b') from origin 'https://x.y.z' has been blocked by CORS policy. Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

Any clues what I could be missing?

Answer 5 · 2022-12-06T17:16:04.000Z

@snowPu no idea. Happy to help but I need more info.

Could you please put your full nginx config for that app into a gist.

Answer 6 · 2022-12-06T17:47:51.000Z

There you go.
https://gist.github.com/snowPu/269f9b31dc2fd737b1576c04ff6b7cbe

Answer 7 · 2022-12-06T18:54:37.000Z

@snowPu that config looks good to my eyes. I'm not sure why it's not responding with 200 OK. How very peculiar.

You could add additional logging with...

# in the `http{}` stanza
log_format vouchlog "$time_local $remote_addr $request $request_method $http_referer $upstream_http_x_vouch_user $auth_resp_success $status";

and then

# in `server{}`
location / {
...
access_log /var/log/nginx/vouch.log vouchlog;
}

That might tease out whatever is going on.