This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CORS preflight issue with apikey verfication failed.

Posted on 03-19-2016 02:16 PM
Not applicable
Reply posted on --/--/---- --:-- AM 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <Description/>
    <FaultRules/>
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>verify-api-key</Name>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
    <Flows>
        <Flow name="PostTest">
            <Description/>
            <Request/>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/testFlow") and (request.verb = "POST")</Condition>
        </Flow>
        <Flow name="CORS preflight">
            <Description>CORS preflight</Description>
            <Request/>
            <Response>
                <Step>
                    <Name>add-cors</Name>
                </Step>
            </Response>
            <Condition>request.verb = 'OPTIONS'</Condition>
        </Flow>
    </Flows>
    <HTTPProxyConnection>
        <BasePath>/mytesting/v1</BasePath>
        <Properties/>
        <VirtualHost>secure</VirtualHost>
        <VirtualHost>default</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="NoRoute">
        <Condition>request.verb == "OPTIONS"</Condition>
    </RouteRule>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>

This is my header configuration:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">{request.header.origin}</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, content-type, user-agent, apikey</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, POST</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>




Plz help me on this
Solved Solved
2 7 1,741
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
sudheendras
Staff
Reply posted on --/--/---- --:-- AM

@Neha Since you have a Verify API Key policy in the Proxy PreFlow section, this policy is applied to all the incoming requests. If you don't want to apply the Verify API Key for preflight requests... add a condition to skip when method is "OPTIONS"

Your proxy configuration should look like this - 

    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>verify-api-key</Name>
                <Condition>request.verb != "OPTIONS"</Condition>
            </Step>
        </Request>
        <Response/>
    </PreFlow>

View solution in original post

Jump to Solution
7 REPLIES 7

Posted on --/--/---- --:-- AM
sudheendras
Staff
Reply posted on --/--/---- --:-- AM

@Neha Since you have a Verify API Key policy in the Proxy PreFlow section, this policy is applied to all the incoming requests. If you don't want to apply the Verify API Key for preflight requests... add a condition to skip when method is "OPTIONS"

Your proxy configuration should look like this - 

    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>verify-api-key</Name>
                <Condition>request.verb != "OPTIONS"</Condition>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

Hey, It worked.Thanks a ton 🙂

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to sudheendras
Reply posted on --/--/---- --:-- AM

Hi @sudheendra1 thank you, this workshop indeed. But is there still a way to verify the api key in preflight requests?

Thank you!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
daniel_biales
New Member
In response to sudheendras
Reply posted on --/--/---- --:-- AM

This was really helpful as we had the same issue. This nuance seems important to include in the API Key Verification policy documentation or the documentation on CORS

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
allenchun
New Member
In response to sudheendras
Reply posted on --/--/---- --:-- AM

For this validation in place, does it mean that request from browser doesn't send custom headers during OPTIONS request? What I'm thinking is that APIgee needs to validate the API Key passed from the options request.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @sudheendra1 thank you, this workshop indeed. But is there still a way to verify the api key in preflight requests?

Thank you!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jovaniac
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM 
hey guys, I implemented something like that and it served me correctly.

In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS

<PreFlow name="PreFlow">
<Request>
<Step>
<Name>FC-CORS</Name>
</Step>
<Step>
<Name>FC-OAuth2</Name>
</Step>
</Request>
<Response/>
</PreFlow>

Definition of flowcallout, where we invoke the sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout async="false" continueOnError="false" enabled="true" name="FC-CORS">
<DisplayName>FC-CORS</DisplayName>
<FaultRules/>
<Properties/>
<SharedFlowBundle>OPTIONS-CORS-Headers-Response</SharedFlowBundle>
</FlowCallout>

definition of sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlow name="default">
<Step>
<Name>OPTIONS-CORS-Headers-Response</Name>
<Condition>request.verb == "OPTIONS"</Condition>
</Step>
</SharedFlow>

definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="OPTIONS-CORS-Headers-Response">
<DisplayName>OPTIONS CORS Headers Response</DisplayName>
<Properties/>
<FaultResponse>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, ucsb-api-key, ucsb-api-version, authorization</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
<Payload contentType="text/plain"/>
<StatusCode>200</StatusCode>
<ReasonPhrase>OK</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

angular:

const httpOptions2= { headers:newHttpHeaders({ 'Authorization':'Bearer token' }) };

obtenerCatalogos():Observable<any> { return this.httpClient.get<any>(uriApigee+'endpointapigee',httpOptions2); }

Regars

Jump to Solution
0 Likes