Amend nginx/vouch handler to not validate OPTIONS requests

jbwtan1 opened this issue · comments

Expected behavior
IIRC when a browser performs an OPTIONS request as part of a CORS request, it intentionally does not send a vouch cookie. I believe that vouch will still try and validate the request and check if the jwt is present so the OPTIONS request will always fail.

I expect vouch to allow OPTIONS requests to the application (where it should respond regardless of whether user is logged in or not)

If you're running into OPTIONS issues I think the best place to handle that is Nginx...

    auth_request /validate;

    location /validate {

      # for CORS preflight requests, just return 200 since a preflight request does not contain a cookie
      # https://stackoverflow.com/questions/41760128/cookies-not-sent-on-options-requests
      if ($request_method = 'OPTIONS') {
        return 200;
      proxy_pass http://vouch.yourdomain.com/validate;
      proxy_set_header Host $http_host;

      # these return values are used by the @error401 call
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;


Thanks @bnfinet . Agree nginx sounds like a good place to handle this. Want me to create a PR to update the example nginx config? I imagine that most users would want this check in case an OPTIONS request ever hits the reverse proxy. so could be sensible to add your if-request-equals-options check as an uncommented example?

@jbwtan1 I've added a link to this issue from the README

Thanks for making VP better!

I added this but still get an error. It is caused when the redirect link is hit when the tab is left open and probably the cookies expire after a period. Added the following to /validate:

# for CORS preflight requests, just return 200 since a preflight request does not contain a cookie
      # https://stackoverflow.com/questions/41760128/cookies-not-sent-on-options-requests
      if ($request_method = 'OPTIONS') {
        return 200;

But still get something like:

Access to fetch at 'https://auth.y.z/zzz' (redirected from 'https://x.y.z/a/b') from origin 'https://x.y.z' has been blocked by CORS policy. Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

Any clues what I could be missing?

@snowPu no idea. Happy to help but I need more info.

Could you please put your full nginx config for that app into a gist.

@snowPu that config looks good to my eyes. I'm not sure why it's not responding with 200 OK. How very peculiar.

You could add additional logging with...

# in the `http{}` stanza
log_format vouchlog "$time_local $remote_addr $request $request_method $http_referer $upstream_http_x_vouch_user $auth_resp_success $status";

and then

# in `server{}`
location / {
access_log /var/log/nginx/vouch.log vouchlog;

That might tease out whatever is going on.