Regression: CORS is not handled properly
marcinfigiel opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
Version 0.40.0 introduced a regression in CORS handling by the decisions API. Up to v0.39.4 it worked flawlessly, now it's broken.
The regression was introduced by #999 - this line to be exact. It adds the CORS handler after the DecisionHandler
.
After this change the CORS preflight requests (OPTIONS
) are intercepted and authenticated by the DecisionHandler
which always fail, because browsers don't attach the authentication data to the preflight requests.
Reproducing the bug
- Run Oathkeeper with the API configuration as attached below
- Make Oathkeeper decisions API available under
localhost:4456
- Execute the following curl:
curl -i 'http://localhost:4456/decisions/some/api/endpoint \
-X 'OPTIONS' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.9,pl;q=0.8' \
-H 'Access-Control-Request-Headers: site' \
-H 'Access-Control-Request-Method: GET' \
-H 'Connection: keep-alive' \
-H 'Origin: http://localhost:5000' \
-H 'Referer: http://localhost:5000/' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-site' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'
Expected response (copied from v0.39.4):
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Site
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: http://localhost:5000
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Date: Tue, 24 Jan 2023 14:13:33 GMT
Content-Length: 0
Actual response (copied from v0.40.1):
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Date: Tue, 24 Jan 2023 14:16:16 GMT
Content-Length: 95
{"error":{"code":401,"status":"Unauthorized","message":"The request could not be authorized"}}
Relevant log output
No response
Relevant configuration
serve:
api:
cors:
allow_credentials: true
allowed_headers:
- Cookie
- Content-Type
- Site
allowed_methods:
- GET
- PUT
- POST
- PATCH
- DELETE
allowed_origins:
- http://localhost:5000
debug: false
enabled: true
exposed_headers:
- Access-Control-Allow-Origin
- Access-Control-Allow-Method
- Access-Control-Allow-Headers
- Access-Control-Allow-Credentials
port: 4456
Version
0.40.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response