This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Allowing Unauthenticated OPTIONS for Preflight Checks

Posted on 09-21-2023 07:14 AM
mike-byrne
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am working on adding support for CORS headers. To achieve this, I need to allow unauthenticated OPTIONS requests for preflight checks. Below are my current proxy settings:

 

 

<ProxyEndpoint name="my-proxy">
    <DefaultFaultRule name="all">
        <AlwaysEnforce>true</AlwaysEnforce>
        <Step>
            <Name>FC-FaultRule</Name>
        </Step>
    </DefaultFaultRule>
    <HTTPProxyConnection>
        <Properties>
            <Property name="mc.target.platforms">AWS:my-platform</Property>
            <Property name="mc.target.platform.aws">ALL</Property>
            <Property name="mc.path.firstpath/v1">/firstpath/v1,POST,OPTIONS</Property>
            <Property name="mc.path.secondpath/v1/*">/secondpath/v1/*,GET,PATCH,OPTIONS</Property>
        </Properties>
        <BasePath>/base-path/</BasePath>
    </HTTPProxyConnection>
    <RouteRule name="my-default-route">
        <TargetEndpoint>my-default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>

 

And here is the target endpoint:

 

<TargetEndpoint name="my-default">
    <HTTPTargetConnection>
        <URL>https://my-id.execute-api.eu-west-2.amazonaws.com/dev{path}</URL>
    </HTTPTargetConnection>
</TargetEndpoint>

 

In the settings mentioned above, the OPTIONS request uses authentication, which causes the preflight checks to fail. How to have OPTIONS without authentication?

0 3 182
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM
@mike-byrne wrote:

In the settings mentioned above, the OPTIONS request uses authentication, which causes the preflight checks to fail. How to have OPTIONS without authentication?

I don't see anything in your API proxy that is involved with CORS.  There's no CORS policy. 

Normally you would attach the CORS policy in the request preflow, and it would just work (without requiring authentication). 

Here's a screencast I did some time ago.  It's still relevant.

Here's a more recent sample that you can deploy into your environment. 

0 Likes

Posted on --/--/---- --:-- AM
mike-byrne
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks @dchiesa1.

I added the following policy:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORS name="CORS-Policy">
    <AllowOrigins>*</AllowOrigins>
    <AllowHeaders>origin, x-requested-with</AllowHeaders>
    <AllowMethods>GET, POST, PATCH</AllowMethods>
    <ExposeHeaders>*</ExposeHeaders>
    <MaxAge>180</MaxAge>
    <AllowCredentials>false</AllowCredentials>
    <GeneratePreflightResponse>true</GeneratePreflightResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</CORS>

 

And included it in the proxy, so it looks like:

 

<ProxyEndpoint name="my-proxy">
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>CORS-Policy</Name>
            </Step>
        </Request>
    </PreFlow>
    <DefaultFaultRule name="all">
        <AlwaysEnforce>true</AlwaysEnforce>
        <Step>
            <Name>FC-FaultRule</Name>
        </Step>
    </DefaultFaultRule>
    <HTTPProxyConnection>
        <Properties>
            <Property name="mc.target.platforms">AWS:my-platform</Property>
            <Property name="mc.target.platform.aws">ALL</Property>
            <Property name="mc.path.firstpath/v1">/firstpath/v1,POST,OPTIONS</Property>
            <Property name="mc.path.secondpath/v1/*">/secondpath/v1/*,GET,PATCH,OPTIONS</Property>
        </Properties>
        <BasePath>/base-path/</BasePath>
    </HTTPProxyConnection>
    <RouteRule name="my-default-route">
        <TargetEndpoint>my-default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>

 

But I am getting this error in the build pipeline:

The policy type (CORS) is not available in the profile apigee. P028

My folder structure:

 

├── apiproxy/
│   │
│   ├── policies/
│   │   ├── CORS-Policy.xml
│   │   └── ... (other policies)
│   │
│   ├── proxies/
│   │   └── my_proxy.xml

 

Any idea why I am getting this error?

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to mike-byrne
Reply posted on --/--/---- --:-- AM

Any idea why I am getting this error?

YES

The CORS policy is available in Apigee X and hybrid. As far as I know, it is not available in Apigee Edge.

Your build pipeline is apparently running apigeelint, which supports different profiles. It is running the profile for Apigee (Apigee Edge) , which means apigeelint will tell you, "you can't use that policy, it's not supported in your version of Apigee." Which is correct behavior. 

If you are using Apigee X or hybrid, you need to modify your apigeelint to use the apigeex profile.