Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPTIONS Method (Preflight request made from browser) is blocked - Authorization header not found #88

Open
routesdevsupport opened this issue Jan 25, 2023 · 3 comments
Open

OPTIONS Method (Preflight request made from browser) is blocked - Authorization header not found #88

routesdevsupport opened this issue Jan 25, 2023 · 3 comments

Comments

@routesdevsupport
Copy link

routesdevsupport commented Jan 25, 2023
edited
Loading

Hello team/member,

We are currently facing some Preflight requests blocked by JWT WP Plugin with our iOS APP and the WordPress site which runs with JWT Auth plugin.

Can you guys guide us on how to handle those preflight requests (OPTIONS method)?

We have already used the below headers set if we match the ORIGIN requested by our iOS APP.

sample headers code that we try to set by using the rest_pre_serve_request WordPress filter.

header( 'Access-Control-Allow-Origin: *' ); // We're using our origin instead of '*'
header( 'Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE' );
header( 'Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Range, Content-Disposition, Content-Type, X-Auth-Token, Authorization');
header( 'Access-Control-Allow-Credentials: true' );
header( 'Access-Control-Expose-Headers: Link', false );

We are still getting the below response in a preflight request:

{
    "success": false,
    "statusCode": 403,
    "code": "jwt_auth_no_auth_header",
    "message": "Authorization header not found.",
    "data": []
}

Thank You!

image
@dominic-ks
Copy link
Collaborator

Hello @routesdevsupport, this looks to me like it's to do with the need to whitelist endpoints rather than anything to do with the OPTIONS request specifically.

See here - https://wordpress.org/plugins/jwt-auth/ - under the heading "Whitelisting Endpoints".

Note though that the whitelist has been removed in the latest version available on GitHub, and we're in the process of updating WordPress.org to contain the same version. With the whitelist removed, whitelisting endpoints will no longer be necessary, and the plugin will allow requests to fall back to whatever permissions WordPress requires for a request.

@ankitwwt
Copy link

@dominic-ks Thanks for your quick response.

Here whitelisting will not work for us as the endpoint we have created to make calls from the iOS APP, may be / may not be whitelisted. It means that several endpoints are restricted for public use.

Also, these preflight requests are generated by using the browser itself not generated by the code. We generally use GET/POST Methods from our APP.

Thanks

@dominic-ks
Copy link
Collaborator

@ankitwwt the situation is still the same for the current wp.org version, to access a custom route it either needs to be whitelisted, which means it doesn't need a JWT - i.e. it still may need a logged in user depending the permissions callback of the route - or, you need to provide a JWT with the request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dominic-ks @routesdevsupport @ankitwwt