Fix CORS when Authorization header is present

2020-12-22 12:31:30 +01:00 · 2020-12-22 12:31:30 +01:00 · 0e814d3952
commit 0e814d3952
parent 725f3fae04
2 changed files with 42 additions and 2 deletions
--- a/Application.hs
+++ b/Application.hs
@ -146,8 +146,8 @@ makeApplication foundation = do

    -- Create the WAI application and apply middlewares
    appPlain <- toWaiAppPlain foundation
-    return $ logWare $ defaultMiddlewaresNoLogging $ simpleCors appPlain
-
+    return $ logWare $ defaultMiddlewaresNoLogging $ myCors appPlain
+    where myCors = cors (const $ Just (simpleCorsResourcePolicy {corsMethods = ["GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS"], corsRequestHeaders = ["Authorization"]}))
 makeLogWare :: App -> IO Middleware
 makeLogWare foundation =
    mkRequestLogger def
--- a/static/test-gonito-as-backend.html
+++ b/static/test-gonito-as-backend.html
@ -43,7 +43,42 @@
                req.send();
            };

+      function testCors() {

+          var createCORSRequest = function(method, url) {
+              var xhr = new XMLHttpRequest();
+              if ("withCredentials" in xhr) {
+                  // Most browsers.
+                  xhr.open(method, url, true);
+              } else if (typeof XDomainRequest != "undefined") {
+                  // IE8 & IE9
+                  xhr = new XDomainRequest();
+                  xhr.open(method, url);
+              } else {
+                  // CORS not supported.
+                  xhr = null;
+              }
+              xhr.setRequestHeader('Authorization', 'Bearer ' +
+                 keycloak.token);
+              //xhr.setRequestHeader('Xyz', 'Blabla');
+              xhr.setRequestHeader('Accept', 'application/json');
+              return xhr;
+          };
+
+          var url = 'http://127.0.0.1:3000/api/list-challenges';
+          var method = 'GET';
+          var xhr = createCORSRequest(method, url);
+
+          xhr.onload = function() {
+              alert("OK");
+          };
+
+          xhr.onerror = function() {
+              alert("NOT OK")
+          };
+
+          xhr.send();
+      }
    </script>
 </head>
 <body onload="initKeycloak()">
@ -55,5 +90,10 @@

  <p><button onclick="loadData('challenge-my-submissions/retroc2')">Other test</button></p>

+  <p><button onclick="loadData('list-challenges')">Yet another
+      test</button></p>
+
+  <p><button onclick="testCors()">CORS</button></p>
+
 </body>
 </html>