1

EDITED for clarity:

Using python/Flask REST-API to provide secure endpoints (using basic auth) for an ExtJS app. CORS is enabled. All had been working splendidly in all my testing with Safari. Decided to test other browsers (IE, Chrome and Firefox) with the outcome that I keep getting a 401 error and no login dialog.

I found the following blog post http://mortoray.com/2014/04/09/allowing-unlimited-access-with-cors/ that suggested to add the following chunk of code to ensure all headers were covered for all endpoints:

@app.after_request
def add_cors(resp):
    """ Ensure all responses have the CORS headers. This ensures any failures are also accessible
        by the client. """
    resp.headers['Access-Control-Allow-Origin'] = request.headers.get('Origin','*')
    resp.headers['Access-Control-Allow-Credentials'] = 'true'
    resp.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS, GET'
    resp.headers['Access-Control-Allow-Headers'] = request.headers.get(
        'Access-Control-Request-Headers', 'Authorization' )
    # set low for debugging
    if app.debug:
        resp.headers['Access-Control-Max-Age'] = '1'
    return resp

I added this to my api code in hopes that it would work, but it seems to have made no difference.

The API is hosted via Apache using mod_wsgi and all authentication being passed off to the wsgi app using the WSGIPassAuthorization On directive.

Needless to say, I am slightly confused. Shouldn't I always get the login dialog if a 401 error was detected?

horcle_buzz
  • 2,101
  • 3
  • 30
  • 59
  • For Firefox, I tried setting the NTLM settings, but this did not do anything, which is expected, since we are running an Apache web service. – horcle_buzz May 13 '15 at 20:53
  • Hey there! I do know that basic auth works directly through the API (python/flask) on all browsers, so it definitely has to do with Ajax. Haven't had much time to look into it lately though. – horcle_buzz May 29 '15 at 16:54
  • I have a similar problem (using JQuery not ExtJS.) I have tried the same request on both same-origin and cross-origin and compared the Request Headers being sent. They are the same except: same-origin has "Origin", but cross-origin has "X-Requested-With". (Not sure if Ajax or the browser is to blame.) – Bampfer May 29 '15 at 20:51
  • You might want to use Firebug or Chrome Developer Tools to check your Request Headers, see what differences exist. Theory A: one of the request header differences is causing this. Theory B: browsers just handle Basic Auth differently if its CORS, and skip the user prompt. Either way: a possible workaround might be to have an explicit login page, then skip the prompt by injecting the Authentication header yourself. – Bampfer May 29 '15 at 20:57
  • Hey there! Have you had any luck with this? I am JUST finally able to get back to this. – horcle_buzz Jul 24 '15 at 16:28
  • It is appearing to be the case that it is Ajax being the culprit. Basic auth via direct api calls works just fine. Via Ajax not so much... All the testing I am doing is on the same-origin, too. – horcle_buzz Jul 26 '15 at 02:13
  • FYI I tried my suggested workaround above, explicitly supplying an Authentication header with every request (http://stackoverflow.com/questions/5507234/how-to-use-basic-auth-and-jquery-and-ajax). Didn't seem to help. Adding xhrFields: {withCredentials: true} helped a bit with Chrome but broke Firefox. But perhaps some combination of the things I'm trying would work. – Bampfer Jul 27 '15 at 15:16
  • If you disable Chrome with the --disable-web-security argument, everything works. Firefox does not seem to have a similar flag (there is an open Bugzilla request for this). – horcle_buzz Jul 27 '15 at 19:34
  • I have another app that hits against a third party API using Ajax CORS without any problems. The only difference is that the third party API does not use http basic auth. I may end up doing something similar to what they did. – horcle_buzz Jul 27 '15 at 19:41

1 Answers1

0

I ended up just moving my ExtJS and API apps to the same server (using Apache mod_alias for the ExtJS app and the WSGIScriptAlias directive from mod_wsgi for the Flask app). Works like a charm and no CORS issues. Notwithstanding the terrible solution for Chrome, I think there is no fix for Firefox, and I don't even look into IE. I certainly have better things to do.

horcle_buzz
  • 2,101
  • 3
  • 30
  • 59
  • One final note, is that this will ONLY work if using SSL certificates if using .htaccess authentication in Apache, or if using secure LDAP authentication through Apache (which, should of course also use SSL via purt 443). – horcle_buzz Oct 26 '15 at 02:08