c# - .net CORS - Losing Allow Origin header when the response is 401 - not authorized -



c# - .net CORS - Losing Allow Origin header when the response is 401 - not authorized -

i'm trying determine why/how i'm losing 'access-control-allow-origin' header when response 401-unauthorized.

i'm using token-based authentication token has expiration date. when token expires, server returns 401-unauthorized, should, in chrome (and ie , ff) never sees allow origin header , errors usual cors error: xmlhttprequest cannot load http://my.rest.service. no 'access-control-allow-origin' header nowadays on requested resource. origin 'http://localhost' hence not allowed access.

i'm not sure of relevant though, auth logic works fine, cors chokes when response 401.

c# cors handler namespace nviewrest.handlers { using system.linq; using system.net; using system.net.http; using system.threading; using system.threading.tasks; /// <summary> /// handler processing cross origin resource sharing (cors) requests /// </summary> public class corshandler : delegatinghandler { /// <summary>the origin.</summary> private const string origin = "origin"; /// <summary>header indicating should treat cors request.</summary> private const string enablecors = "x-enablecors"; /// <summary>the access command request method.</summary> private const string accesscontrolrequestmethod = "access-control-request-method"; /// <summary>the access command request headers.</summary> private const string accesscontrolrequestheaders = "access-control-request-headers"; /// <summary>the access command allow origin.</summary> private const string accesscontrolalloworigin = "access-control-allow-origin"; /// <summary>the access command allow methods.</summary> private const string accesscontrolallowmethods = "access-control-allow-methods"; /// <summary>the access command allow headers.</summary> private const string accesscontrolallowheaders = "access-control-allow-headers"; /// <summary> /// send async request /// </summary> /// <param name="request">the request.</param> /// <param name="cancellationtoken">the cancellation token.</param> /// <returns>the <see cref="task"/>.</returns> protected override task<httpresponsemessage> sendasync(httprequestmessage request, cancellationtoken cancellationtoken) { // if has our nfib enable cors header or has access command request method header, we're assuming cors request var iscorsrequest = request.headers.contains(accesscontrolrequestmethod) || request.headers.contains(enablecors); // preflight == options request - sent prior cors requests var ispreflightrequest = request.method == httpmethod.options; // express exit if normal request if (!iscorsrequest) { homecoming base.sendasync(request, cancellationtoken); } // actual cors request - add together appropriate header before executing normal if (!ispreflightrequest) { homecoming base.sendasync(request, cancellationtoken).continuewith( t => { var resp = t.result; resp.headers.add(accesscontrolalloworigin, request.headers.getvalues(origin).first()); homecoming resp; }, cancellationtoken); } // @ point preflight request - add together headers indicate allowed origins var response = new httpresponsemessage(httpstatuscode.ok); response.headers.add(accesscontrolalloworigin, request.headers.getvalues(origin).first()); // add together header indicate allowed methods var accesscontrolrequestmethod = request.headers.getvalues(accesscontrolrequestmethod).firstordefault(); if (accesscontrolrequestmethod != null) { response.headers.add(accesscontrolallowmethods, accesscontrolrequestmethod); } // add together headers indicate allowed headers var requestedheaders = string.join(", ", request.headers.getvalues(accesscontrolrequestheaders)); if (!string.isnullorempty(requestedheaders)) { response.headers.add(accesscontrolallowheaders, requestedheaders); } // send result of options request var tcs = new taskcompletionsource<httpresponsemessage>(); tcs.setresult(response); homecoming tcs.task; } } }

i can step through lines add together header, when response 401, know on .net end adding it.

javascript ajax call function executeajax (method, url, data, token) { url = (url.indexof('/') === 0) ? url : "/" + url; var options = { method: method, url: app.settings.apiurlroot + url, data: info }; token = token || localstorage.getitem("sessionkey"); options.headers = { "accept": "application/json", //header enabling cors "x-enablecors": 'true' } if (token !== undefined && token !== null) { options.headers["x-adauth"] = token, } homecoming $.ajax(options); };

the result of phone call cors error referenced earlier.

there no issues firewall or middleware stripping these out know of since other non-401 ajax request executes fine.

any thoughts why header disappearing?

i had same issue , solved explicitly adding cors header 401 response before returned.

var response = new httpresponsemessage(httpstatuscode.unauthorized); response.headers.wwwauthenticate.add(new authenticationheadervalue("bearer", "errormessage")); response.headers.add(accesscontrolalloworigin, "*"); homecoming response;

c# ajax cors

Comments

Post a Comment

Popular posts from this blog

ruby on rails - Devise Logout Error in RoR -

ruby on rails - Devise Logout Error in RoR - while using devise in ror, encountering unusual error when trying log out url different root url. displays me : actioncontroller::invalidauthenticitytoken in devise::sessionscontroller#destroy" for illustration if rooting path after log in '/structure', , seek log out '/general' error, while logging out '/structure' fine. any help highly appreciated. ruby-on-rails ruby devise
Read more

c# - Create a Notification Object (Email or Page) At Run Time -- Dependency Injection or Factory -

c# - Create a Notification Object (Email or Page) At Run Time -- Dependency Injection or Factory - i have code emails me notification when happens. trying add together page , also remove dependency on email. for reference; have name of notification want send stored string in database. @ runtime have list of people , string representation of want receive. i thought dependency injection ninject, kernel bindings got big , seemed hacking together. then thought simple factory, activator.createinstance(email/page) inotifcation, don't know how handle differing constructor parameters (unless utilize common, complex property, employee, has info need). so far have this: public interface inotification { void sendmessage(); } public class email: inotification { private readonly string _toemailaddress; private string body { { homecoming "email"; } } private static string smtphost { ...
Read more

model view controller - MVC Rails Planning -

model view controller - MVC Rails Planning - i'm starting rails , i'm building app stores films info, user can watch film , give grade on web application. i have coded cinema model, controller , views. now, have 2 questions: should need create model , controller grading? in case, should create or should wait , create first users model , controller? yes, on model , controller grades. that'd feasible way maintain track of who's graded what. it's create first, i'd start users, since grades depend on both films , users. ruby-on-rails model-view-controller
Read more