API: credentials on preflight?


Using Kirby 3 for an upcoming project was a no-brainer. Thanks for the superb quality!
However, I have encountered an issue with using the newly available API “in CORS mode”.

Let’s assume my frontend is a Nuxt.js frontend, running on example.org.
My api is on api.example.org and therefore considered CORS.

Using axios for an API request and Basic auth results in an OPTIONS request, a so called preflight. According to the W3 specification the preflight should never include credentials.
Unfortunately this already results in a 403 Forbidden error since axios is by design (and according to standards) omitting credentials while Kirby is looking for a user.

For now I have fixed this by including this in the authentication.php of the holy kirby folder:

$request = $this->kirby()->request();
if ($request->method() === 'OPTIONS') {
    return true;

Its not nice in any way, could someone maybe lead me to a better solution? Or clarify, if this behaviour is made by design?


I am still trying to wrap my head around it. What is this preflight OPTIONS request for?

I’m still encountering this issue. I’m getting a 403 error when hitting the Kirby API with the following code:

axios.get('https://cms.asoov.local/api/pages/home', {
  auth: {
    username: USERNAME,
    password: PASSWORD
}).then(response => console.log(response)).catch(error => console.log(error));

Is there a workaround around this issue?