Giters

SoftInstigate / restheart-security

Authorization and Authentication microservice for RESTHeart

Home Page:https://restheart.org/docs/security/overview/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Auth-Tokens cannot be used in webapps when restheart and restheart-security are used

lenalebt opened this issue · comments

commented

Expected Behavior

Responses from restheart-security should contain CORS header access-control-expose-headers including all the values Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By

We're interested especially in Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location here.

Current Behavior

Restheart responds with access-control-expose-headers: Location, ETag, X-Powered-By. Restheart security checks that CORS headers are already present and does not alter them. Since Restheart security cares about the auth tokens and all of that, the header values access-control-expose-headers: Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location are not allowed to be read by browser-side javascript.

Context

we're moving to the new restheart major release 4.0+

Environment

n/a

Steps to Reproduce

  1. Use Restheart-security and restheart
  2. Send Request with valid basic auth credentials to Restheart-Security
  3. Observe header access-control-expose-headers.

Possible Implementation

If access-control-expose-headers is present, add relevant values instead of simply accepting what downstream restheart did.

commented

Hi @lenalebt ,

will fix in upcoming restheart-platform-security 4.1