CORS Preflight Requests rejected even with recommended CORS setup.

Google Cloud Apigee
1

I need to support CORS preflight requests. Either OPTIONS passthrough without key to the backend or Apigee immediate response with CORS headers would meet the requirement.

“Add CORS” AssignMessage policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <FaultRules/>
    <Properties/>
    <Add>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Add>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>

Proxy Endpoint:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <Description/>
    <Flows>
        <Flow name="OptionsPreFlight">
            <Request/>
            <Response>
                <Step>
                    <Name>add-cors</Name>
                </Step>
            </Response>
            <Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
        </Flow>
    </Flows>
    <FaultRules/>
    <PreFlow name="PreFlow">
        <Request/>
        <Response/>
    </PreFlow>
    <Flows/>
    <HTTPProxyConnection>
        <BasePath>/api/cxp/v1/gateway</BasePath>
        <Properties/>
        <VirtualHost>*redacted*</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="NoRoute">
        <Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
    </RouteRule>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
</ProxyEndpoint>

Target Endpoint:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndpoint name="default">
    <Description/>
    <FaultRules/>
    <PreFlow name="PreFlow">
        <Request/>
        <Response>
            <Step>
                <Name>add-cors</Name>
            </Step>
        </Response>
    </PreFlow>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
    <Flows/>
    <HTTPTargetConnection>
        <Properties/>
        <URL>*redacted*</URL>
    </HTTPTargetConnection>
</TargetEndpoint>

Even with this in place, which I think should suffice to respond to all OPTIONS request where the origin and Access-Control-Request-Method are not null, my preflight requests get rejected with 401:

Chrome Devtools Network tab:

9550-request-from-browser-network.png
9550-request-from-browser-network.png633×571 49.9 KB

Chrome console:

9548-request-from-browser.png

Postman (trying to fake a preflight request):

9549-request-from-postman.png
9549-request-from-postman.png864×636 32.6 KB

What am I missing?

2

Have you tried using trace against your proxy during the OPTIONS request?

3

We only use microgateways, not the normal Apigee environments, which I think makes the Trace feature not work.

4

As this is in context of the Microgateway, you should be implementing this as a microgateway plugin.

https://docs.apigee.com/api-platform/microgateway/3.0.x/use-plugins

5

Interesting thank you. You’re saying the proxy definition way doesn’t work when using a microgateway?

I will look into this, but we only use one microgateway so unless plugins can be applied only to specific proxies, we’ll need to make sure this doesn’t interfere with anything else.

6

And here’s an example cors plugin:

https://github.com/apigee/microgateway-plugins/blob/master/cors/index.js