API: credentials on preflight?

grischaerbe · January 28, 2019, 10:48pm

Hi!

Using Kirby 3 for an upcoming project was a no-brainer. Thanks for the superb quality!
However, I have encountered an issue with using the newly available API “in CORS mode”.

Let’s assume my frontend is a Nuxt.js frontend, running on example.org.
My api is on api.example.org and therefore considered CORS.

Using axios for an API request and Basic auth results in an OPTIONS request, a so called preflight. According to the W3 specification the preflight should never include credentials.
Unfortunately this already results in a 403 Forbidden error since axios is by design (and according to standards) omitting credentials while Kirby is looking for a user.

For now I have fixed this by including this in the authentication.php of the holy kirby folder:

$request = $this->kirby()->request();
if ($request->method() === 'OPTIONS') {
    return true;
}

Its not nice in any way, could someone maybe lead me to a better solution? Or clarify, if this behaviour is made by design?

Best,
Grischa

distantnative · March 8, 2019, 7:47pm

I am still trying to wrap my head around it. What is this preflight OPTIONS request for?

soovbue1 · May 8, 2020, 12:57pm

I’m still encountering this issue. I’m getting a 403 error when hitting the Kirby API with the following code:

axios.get('https://cms.asoov.local/api/pages/home', {
  auth: {
    username: USERNAME,
    password: PASSWORD
  }
}).then(response => console.log(response)).catch(error => console.log(error));

Is there a workaround around this issue?

Topic		Replies	Views
API CORS Preflight Error (404 on OPTIONS method) Questions 🤔	9	9849	June 15, 2022
CORS in Kirby as external API	6	3346	May 28, 2020
API Request 403 - Works with Axios but not with fetch?! Questions 🤔	3	4257	February 23, 2021
Kirby ajax call from subdomain -> cross domain error	7	1247	February 17, 2022
Kirby 3's REST API / Fetch Kirby 3	2	1006	July 8, 2020

API: credentials on preflight?

Related topics