Reputation: 577
Prevent preflight request from internal redirect
I am working on a web application, both the backend and the frontend are hosted on different endpoints on an internal PaaS, which redirects to a SSO page if any request coming to it doesn't have the authenticated cookie.
When I send a GET request from the frontend to the backend, it also passes through the cookies (with credentials in axios). But when I make a POST request, the browser first makes a preflight OPTIONS request without cookie and internally the backend service redirects to the SSO, as a result it never gets to sending the POST request at all.
The preflight request by design exclude user credentials, how can I get around it?
Upvotes: 2
Views: 248
Answers (1)
Reputation: 894
Write a middleware in your backend, top in the heirarchy and check the request type in it.
if it is "OPTIONS", just verify the origin, if it is familiar respond right away with 200 instead of passing control to next, if not then respond with 403
if it is not "OPTIONS", just pass the control to next so that it deals accordingly
assuming a node-express server, the middleware would look like this
app.use((req,res,next)=>{
if(req.method==='OPTIONS' && whiteListUrls.includes(req.origin)){
res.status(200);
}else{
next();
}
})
Upvotes: 1
Related Questions
- How to redirect in axios?
- Cors issue with response to preflight request
- Stop react redirecting before API call has finsished
- Redirection using Axios and React
- Preflight Request doesn't pass access control
- Axios api call - Failed to load ,Response for preflight is invalid (redirect)
- CORS preflight request not handled by external API
- Stop sending preflight requests from axios.post
- Making redirects after an axios post request with express
- Handling Redirects with axios in Browser