1

So this is my current code enter image description here

When I delete the Authorization from the headers the request will be successful, and i get the response. But when I use the Authorization header, it will give me this error.

enter image description here

The server is using Python Django and using this libary for CORS Handling

EDIT 1: This is the python server settings

EDIT 2: Add Browser

I use Chrome Version 53.0.2785.143 m (64-bit)

EDIT 3: Postman response

Just got weird response here. When the backend guy tried from his laptop, he got the complete header. like this: enter image description here But when i use my laptop, i got this response: enter image description here

Christian Dimas
  • 117
  • 1
  • 1
  • 10
  • Can you give an example of your `CORS_ORIGIN_WHITELIST` in your `settings.py`? – kreddyio Oct 25 '16 at 11:48
  • @r3ign already tried to `ALLOW_ALL` so the `WHITELIST` is ignored – Christian Dimas Oct 25 '16 at 11:58
  • I'm thinking that `Authorization` is not added in `CORS_ALLOW_HEADERS` – kreddyio Oct 25 '16 at 12:06
  • Also, it is weird that the request is successful when there is no Authorization header. Anything that might cause this in your code? – kreddyio Oct 25 '16 at 12:11
  • Can you please give complete details of *all* relevant entries in `settings.py` and also what browser you were using when this error occurred? If not, this will eventually be a guessing game. Also, browser information helps as mentioned in [this answer](http://stackoverflow.com/a/9627028/3602025) – kreddyio Oct 25 '16 at 13:57
  • Are you by any chance using cookies or csrf tokens even though you are using Token Auth? – kreddyio Oct 26 '16 at 12:03
  • @r3ign nope, the backend guy said that he didn't even install csrf, and i use localstorage instead of cookies – Christian Dimas Oct 26 '16 at 15:04

2 Answers2

0

I'm guessing cors is not allowing the Authorization header. So, lets add that the Authorization entry to CORS_ALLOW_HEADERS

CORS_ALLOW_HEADERS = (
...
'Authorization',
...
)
kreddyio
  • 144
  • 5
  • 15
  • sadly, it's also already added. When i tried using postman, this is the headers of the response ``` Access-Control-Allow-Credentials →true Access-Control-Allow-Headers →accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with Access-Control-Allow-Methods →GET, POST, PUT, PATCH, DELETE, OPTIONS ``` – Christian Dimas Oct 25 '16 at 12:17
  • Are you sure that headers are not *case-sensitive*? – kreddyio Oct 25 '16 at 12:24
  • My bad headers are case-insensitive according [RFC 7230](https://tools.ietf.org/html/rfc7230#appendix-A.2) – kreddyio Oct 25 '16 at 12:26
  • Have you added the `corsheaders.middleware.CorsMiddleware` under `MIDDLEWARE_CLASSES`? – kreddyio Oct 25 '16 at 12:55
  • And also, add `corsheaders` in INSTALLED_APPS ? – kreddyio Oct 25 '16 at 13:36
0

Solved! It's caused by the App Enlight plugin for monitoring. When I remove it, everything works without errors :)

Christian Dimas
  • 117
  • 1
  • 1
  • 10