1

I'm trying to work with AspNetCore and I'm stuck at this. When I send a request using postman everything works fine, but when I try to do it using a browser it doesn't work. I'm using AspNetCore 3.1.

Startup.cs

namespace PMES.HelpDesk.WebAPI
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        public void ConfigureServices(IServiceCollection services)
        {
            //...

            services.AddCors(opt => 
            {
                opt.AddPolicy("AllowOrigin", options => {
                    options.AllowAnyOrigin();
                    options.AllowAnyMethod();
                    options.AllowAnyHeader();
                });
             });

           //...
        }


        public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                IdentityModelEventSource.ShowPII = true;

            }
            else
            {
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseRouting();
            app.UseCors("AllowOrigin");
            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
}

Error Message

Access to XMLHttpRequest at 'http://localhost:5000/api/session/authenticate' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

EDIT 1

My front end is built with Vue and that's my request

axios
.get(`http://localhost:5000/api/session/authenticate`, {
    headers: {
        Authorization:
            'Bearer ' +
             'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMTQ0NjE3Nzc0MiIsIm5hbWUiOiJGZWxpcGUgRW5kbGljaCIsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoxNTk2MzM5MDIyfQ._VcxTFt6N0oe-QKeyant8lCzcpC2AL69tFcADLBbXO0'
    }
})
.then(response => {
    window.console.log(response.data);
})
.catch(error => {
    window.console.log(error);
});

EDIT 2

When I send a postman request I get these headers

Date: Thu, 06 Feb 2020 20:08:11 GMT
Server: Kestrel
Content-Length: 0
Allow: GET
Access-Control-Allow-Origin: *
Felipe Endlich
  • 540
  • 5
  • 24

1 Answers1

1

Your OPTIONS request is OK, but please note this gotcha: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

CORS can not be break while withCredentials is set to true on the underlying AJAX controller. It looks like axios does not support it. See: https://github.com/axios/axios/pull/2582

Anyway I would neither try to hack it. You have two solutions:

I would definetly suggest the second one, which avoids you hacking the back-end with CORS

Newbie
  • 4,462
  • 11
  • 23