Add authentication to OPTIONS request
According to the CORS specification when a preflight request is performed user credentials are excluded.
(...) using the method OPTIONS, and with the following additional constraints:
- (...)
- Exclude the author request headers.
- Exclude user credentials.
- (...)
(emphasis is mine)
With this in mind, the problem seems to be on the API side of things, which should be accepting OPTIONS requests without requiring authentication.
Related videos on Youtube
08 : 16
06 : 06
37 : 05
01 : 11 : 08
01 : 05 : 29
12 : 35
13 : 16
44 : 43
28 : 32
02 : 09
08 : 55
Glenn Utter
Updated on September 16, 2022Comments
-
Glenn Utter over 1 year
How can I add headers to the
OPTIONSrequest made towards a cross-domain API?The API I'm working against requires a JWT token set as
Authorizationheader on all requests.When I try to access to the API Angular first performs an
OPTIONSrequest that doesn't care about my headers that I setup for the "real" request like this:this._headers = new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'Bearer my-token-here' }); return this._http .post(AppConfig.apiUrl + 'auth/logout', params, {headers: this._headers}) ... ...When no token is provided, the API returns HTTP status 401 and Angular thinks the
OPTIONSrequest fails. -
haz over 2 yearsThe source is a living standard and no longer has the quoted text. Is this Answer still correct in 2021? -
João Angelo over 2 yearsAt the present time, in section 3.2.5 (fetch.spec.whatwg.org/#cors-protocol-and-credentials) it's mentioned: "Note that even so, a CORS-preflight request never includes credentials."
-
haz over 2 yearsThanks. I was searching for "user credentials" and was very confused. And also am not great at reading english, apparently.
