OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

disable auth for OPTIONS method in apache

  • Thread starter Thread starter Nilesh
  • Start date Start date
N

Nilesh

Guest
We have third party authentication and it was configured in apache.conf as below.

Code:
<Location /myapi>
  MyRequireAuth on
</Location>

means, when anyone send request to /myapi, it has to be validated by MyRequireAuth and it need X-Auth-Token in the request headers.

We are using axios for our js client and make requests to /myapi endpoints. We intercept the axios request and add X-Auth-Token in the headers.

Code:
import axios from "axios";

let axiosInstance = axios.create({ withCredentials: true });
  axiosInstance.interceptors.request.use(function (config) {
    if (config.method == "get") {
      return config;
    }
    let token = "";
    let name = "xauthtoken=";
    let ca = document.cookie.split(";");
    for (let i = 0; i < ca.length; i++) {
      let c = ca[i];
      while (c.charAt(0) === " ") {
        c = c.substring(1);
      }
      if (c.indexOf(name) === 0) {
        token = c.substring(name.length, c.length);
      }
    }
    config.headers["X-Auth-Token"] = token;
    // config.headers["Access-Control-Allow-Origin"] = "https://local-domain.com:4443";

    return config;
  });

It works fine when we deploy UI and API on same server.

During testing, we want to hit the /myapi from our UI which is running in localhost. Now request is not coming from same domain and it start giving CORS error for POST and PUT call.

When I debug the details in inspect mode in FireFox browse, I was able to see when there is POST call, axios send OPTIONS request first then POST. When axios send OPTIONS request its not sending X-Auth-Token.

What I want to do is, I want to tell apache, that if there is OPTIONS and HEAD method call, dont validate the auth. Make it disable for these 2 methods.

I tried

Code:
  <Location /myapi>
    <LimitExcept OPTIONS>
        MyRequireAuth on
    </LimitExcept>
    Header set Access-Control-Allow-Origin "https://local-domain.com:4443"
  </Location>

But this seems not working, it still try to validate OPTIONS method. I also added Access-Control-Allow-Origin to remove CORS error. But no luck :(

How to tell apache to not to give CORS even if request coming from different domain ?

<p>We have third party authentication and it was configured in <code>apache.conf</code> as below.</p>
<pre><code><Location /myapi>
MyRequireAuth on
</Location>
</code></pre>
<p>means, when anyone send request to <code>/myapi</code>, it has to be validated by <code>MyRequireAuth</code> and it need <code>X-Auth-Token</code> in the request headers.</p>
<p>We are using <a href="https://axios-http.com/docs/intro" rel="nofollow noreferrer"><code>axios</code></a> for our js client and make requests to <code>/myapi</code> endpoints. We intercept the axios <code>request</code> and add <code>X-Auth-Token</code> in the headers.</p>
<pre><code>import axios from "axios";

let axiosInstance = axios.create({ withCredentials: true });
axiosInstance.interceptors.request.use(function (config) {
if (config.method == "get") {
return config;
}
let token = "";
let name = "xauthtoken=";
let ca = document.cookie.split(";");
for (let i = 0; i < ca.length; i++) {
let c = ca;
while (c.charAt(0) === " ") {
c = c.substring(1);
}
if (c.indexOf(name) === 0) {
token = c.substring(name.length, c.length);
}
}
config.headers["X-Auth-Token"] = token;
// config.headers["Access-Control-Allow-Origin"] = "https://local-domain.com:4443";

return config;
});
</code></pre>
<p>It works fine when we deploy UI and API on same server.</p>
<p>During testing, we want to hit the <code>/myapi</code> from our UI which is running in localhost. Now request is not coming from same domain and it start giving CORS error for <code>POST</code> and <code>PUT</code> call.</p>
<p>When I debug the details in <code>inspect</code> mode in FireFox browse, I was able to see when there is <code>POST</code> call, <code>axios</code> send <code>OPTIONS</code> request first then <code>POST</code>. When axios send <code>OPTIONS</code> request its not sending <code>X-Auth-Token</code>.</p>
<p>What I want to do is, I want to tell <code>apache</code>, that if there is <code>OPTIONS</code> and <code>HEAD</code> method call, dont validate the auth. Make it disable for these 2 methods.</p>
<p>I tried</p>
<pre><code> <Location /myapi>
<LimitExcept OPTIONS>
MyRequireAuth on
</LimitExcept>
Header set Access-Control-Allow-Origin "https://local-domain.com:4443"
</Location>
</code></pre>
<p>But this seems not working, it still try to validate <code>OPTIONS</code> method. I also added <code>Access-Control-Allow-Origin</code> to remove CORS error. But no luck :(</p>
<p>How to tell apache to not to give CORS even if request coming from different domain ?</p>
 

Latest posts

I
Replies
0
Views
1
impact christian
I
Top