CODEWITHSUNDEEP
asp.netcors
user1093111
user1093111

Reputation: 1111

Windows Authentication throwing off CORS?

I have an issue where I'm using windows authentication that requires a preflight request to log in. However, despite having CORS enable in my startup file the application will fail the preflight "Allow-Access-Control-Origin" requirement.

Failed to load http://localhost:1190/api/test: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.

I'm running a SPA on localhost:8080

I have an axios POST withCredentials

function identityLogin () {
  const url = BASE_URL + 'api/token'
  axios.get(url, {withCredentials: true}).then(response => {
    if (response.statusText === 'OK') {
     .....
    } else {
      ....
    }
  })
  .catch(error => {
    console.log(error)
    ....
  })
}

In my startup.cs I have 

app.UseCors(builder => builder
                    .AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    .AllowCredentials()
);

app.UseMvc();

Then when I first get the windows credentials, a previous developer wrote this:

    [HttpGet("api/token")]
    [Authorize]
    public async Task<IActionResult> Get()
    {
        this.Response.Headers.Add("Access-Control-Allow-Origin", "http://localhost:8080");
        this.Response.Headers.Add("Access-Control-Allow-Headers", "Content-Type,Authorization");
        this.Response.Headers.Add("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE,OPTIONS");
        this.Response.Headers.Add("Access-Control-Allow-Credentials", "true");
        .........
    }

Is persistent and possibly messing with the UseCORS? Is there a cookie being stored?

All I want the windows credentials for is to check a DB and then respond with a token.

**EDIT ** I specified origins with the same result.

app.UseMvc();

app.UseCors(builder => builder
       .WithOrigins("http://localhost:8080")
       .AllowAnyMethod()
       .AllowAnyHeader(
       .AllowCredentials());

Upvotes: 1

Views: 411

Answers (1)

user1093111
user1093111

Reputation: 1111

ORDER MATTERS in startup.cs

app.UseCors must come before app.UseMvc:

app.UseCors(builder => builder
    .WithOrigins("http://localhost:8080") 
    .AllowAnyMethod()
    .AllowAnyHeader()
    .AllowCredentials());


app.UseMvc();

Upvotes: 1

Related Questions