API: credentials on preflight?



Using Kirby 3 for an upcoming project was a no-brainer. Thanks for the superb quality!
However, I have encountered an issue with using the newly available API “in CORS mode”.

Let’s assume my frontend is a Nuxt.js frontend, running on example.org.
My api is on api.example.org and therefore considered CORS.

Using axios for an API request and Basic auth results in an OPTIONS request, a so called preflight. According to the W3 specification the preflight should never include credentials.
Unfortunately this already results in a 403 Forbidden error since axios is by design (and according to standards) omitting credentials while Kirby is looking for a user.

For now I have fixed this by including this in the authentication.php of the holy kirby folder:

$request = $this->kirby()->request();
if ($request->method() === 'OPTIONS') {
    return true;

Its not nice in any way, could someone maybe lead me to a better solution? Or clarify, if this behaviour is made by design?




I am still trying to wrap my head around it. What is this preflight OPTIONS request for?