Skip to content

CORS + API Auth breaks #863

New issue
New issue
Open
Task
Open
CORS + API Auth breaks#863
Task
Assignees
kdhruboironhackerAmeyaKulkarni2001
Labels
bugSomething isn't working
Milestone
Mar2025
@ironhacker

Description

@ironhacker
ironhacker
opened on Feb 28, 2025

I downloaded and compiled main to get the new CORS support and it works OK until I enable API Auth. Either setting works on its own, but both combined fail with a 401 Unauthorized on the preflight request. If I make the same GET request from Postman (no preflight) with API Key it's good.

export ENABLE_AUTH=true
export AUTH_DATA_SOURCE=file://auth.yaml (abbreviated here)
export AUTH_PROVIDER=apiKey (this seems required now - defaults to basic auth)

CORS + ENABLE_AUTH=false (this works fine)

CORS + ENABLE_AUTH=true (works in Postman, but fails in Browser with 401 in preflight)

My auth file looks like this. Aside: this seems confusing. Turning on auth should secure all endpoints by default. I have no idea what's leaking.

name: db2rest-security

resourceRoles:
  - resource: "/v1/rdbms/db/**"
    method: get
    roles:
      - admin
  - resource: "/v1/rdbms/db/**"
    method: post
    roles:
      - admin

apiKeys:
  - key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    roles: [admin]
    active: true

Do I have a configuration issue? FYI I tried adding options explicitly - didn't help.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

Task

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions