Flutter Web - Request Headers missing

Question

I run the exact same code on Android and Web by using Dio for sending requests and what I see is that my backend doesn't get my custom added headers when I send the request from browser, but everything works fine if I do the same from emulator.

CORS is correctly setup on my backend.

Dio dio = Dio();
dio.options.headers[HttpHeaders.authorizationHeader] = "Bearer $token";
final Response response = await dio.get("http://$host:$port/$path", queryParameters: {"searchText": searchQuery, "page": 0, "pageSize": 100});

Additional information

post request works fine, the header is only missing from get requests. Either I use the http or dio packages.

However I can see in my server logs the following line when I log out all the headers of the request:

headerName: access-control-request-headers
header: authorization

Has anyone seen something similar?

Answer 1

As it seems I had to enable cors in spring security separatelly.

     httpSecurity.csrf().disable()
            .cors().and()
            .authorizeRequests()
            .antMatchers("/api/admin/**").hasRole("ADMIN")
            .antMatchers("/api/support/**").hasRole("SUPPORT")
            .antMatchers("/**").permitAll()
.and().exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter::class.java)

Once I did so everything started to work.

So to sum up, I used my custom headers in other places those were handled by my global CorsFilter but headers related to spring-security like Authorization are handled by spring-security so cors has to be enabled there as well regardles if I added Authorization to my global CorsFilter or not.