1

All preflight requests from browsers to my Self-Host OWIN WebAPI are not processed by Middleware. If I make OPTIONS request from Postman they are processed. Why is such a behaviour?

Request URL:http://localhost:9000/api/v1/conversations/create?connectionId=13509f44-eacb-4950-8cc8-71bd37098975

Request Method:OPTIONS

Status Code:401 Unauthorized Remote

Address:[::1]:9000

Accept:/

Accept-Encoding:gzip, deflate, sdch, br

Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4

Access-Control-Request-Headers:content-type

Access-Control-Request-Method:POST

Connection:keep-alive

Host:localhost:9000

Origin:http://localhost:8080

Referer:http://localhost:8080/

User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Response Headers for Chrome:

Content-Length:0

Date:Wed, 08 Feb 2017 04:17:26 GMT

Server:Microsoft-HTTPAPI/2.0

WWW-Authenticate:NTLM

Response headers for Postman:

Access-Control-Allow-Credentials →true

Access-Control-Allow-Origin →chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop

Allow →POST

Content-Length →76

Content-Type →application/json; charset=utf-8

Date →Wed, 08 Feb 2017 04:21:02 GMT

Server →Microsoft-HTTPAPI/2.0

I added fake middleware to my appbuilder:

public void BuildWebApi(IAppBuilder appBuilder)
    {
        appBuilder.Use(async (ctx, next) =>
        {
            await next();
        });

and put breakpoint to line "await next()". So breakpoint doesn't stop while browser makes preflight request and stops while postman OPTIONS response.

Argnist
  • 535
  • 1
  • 5
  • 18
  • http://stackoverflow.com/questions/24989769/cors-is-not-working-in-web-api-with-owin-authentication and http://stackoverflow.com/questions/20079813/how-to-make-cors-authentication-in-webapi-2 may be relevant. Also it would probably help if you also included the request headers in your question. – sideshowbarker Feb 08 '17 at 04:32
  • UseCors not working because it also in background adds middleware that are not invoked on preflight requests from Chrome. Of course I've added UserCors() and config.EnableCors() but it has no effect. – Argnist Feb 08 '17 at 04:48
  • OK, so http://stackoverflow.com/questions/20079813/how-to-make-cors-authentication-in-webapi-2/25758949#25758949 does not help you? – sideshowbarker Feb 08 '17 at 04:51
  • No, I haven't any xml config because of Self-Host. I've added request headers to question. – Argnist Feb 08 '17 at 04:52
  • Please read the answer at http://stackoverflow.com/questions/20079813/how-to-make-cors-authentication-in-webapi-2/25758949#25758949. It doesn’t use any XML config. Instead it involves: (1) Installing the `Microsoft.AspNet.WebApi.Cors` nuget package, the `Microsoft.Owin.Cors` nuget package, and then (2) adding `config.EnableCors(new EnableCorsAttribute("*", "*", "GET, POST, OPTIONS, PUT, DELETE"))` above the `WebApiConfig.Register(config)` line in the `Startup.cs` file, then (3) adding `app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll)` to the `Startup.Auth.cs` file. No XML config. – sideshowbarker Feb 08 '17 at 04:57
  • That not works also – Argnist Feb 08 '17 at 06:18

1 Answers1

4

Solved this by 

HttpListener listener = (HttpListener)appBuilder.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemeSelectorDelegate = request =>
{
   if (request.HttpMethod == "OPTIONS")
   {
       return AuthenticationSchemes.Anonymous;
   }
};
Argnist
  • 535
  • 1
  • 5
  • 18