Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS headers: The only allowed header is Content-Type #1320

Open
Russia9 opened this issue Oct 2, 2024 · 1 comment
Open

CORS headers: The only allowed header is Content-Type #1320

Russia9 opened this issue Oct 2, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@Russia9
Copy link

Russia9 commented Oct 2, 2024

What version of ogen are you using?

$ go list -m github.com/ogen-go/ogen
github.com/ogen-go/ogen v1.4.1

Can this issue be reproduced with the latest version?

Yes

What did you do?

I created an OpenAPI spec that utilizes a custom user-defined header and has a Bearer security scheme:

openapi: 3.1.0
info:
  title: Simple API
  description: A simple API with header utilization
  version: 1.0.0
paths:
  /items:
    get:
      summary: Retrieve a list of items
      security:
        - bearerAuth: []
      parameters:
        - name: X-Custom-Header
          in: header
          required: true
          description: Custom header for request
          schema:
            type: string
      responses:
        "200":
          description: A list of items
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

Then I called an OPTIONS request to the /items path.

What did you expect to see?

There are headers Authorization, X-Custom-Header and Content-Type in the Access-Control-Allow-Headers header of the OPTIONS response for /items

What did you see instead?

The only CORS-allowed header is Content-Type
image

Probable cause

It seems like the Access-Control-Allow-Headers is hardcoded in the template gen/_template/cfg.tmpl:

...
MethodNotAllowed: func(w http.ResponseWriter, r *http.Request, allowed string) {
			status := http.StatusMethodNotAllowed
			if r.Method == "OPTIONS" {
				w.Header().Set("Access-Control-Allow-Methods", allowed)
				w.Header().Set("Access-Control-Allow-Headers", "Content-Type")
				status = http.StatusNoContent
			} else {
				w.Header().Set("Allow", allowed)
			}
			w.WriteHeader(status)
		},
...

It can currently be mitigated by either setting this header in the reverse proxy or redefining the MethodNotAllowed function using ServerOptions.

I propose an addition to the signature of this function to include not only allowed methods but also allowed headers.
@Russia9 Russia9 added the bug Something isn't working label Oct 2, 2024
@tdakkota
Copy link
Member

tdakkota commented Oct 3, 2024

You can override default handler via WithMethodNotAllowed option.

ogen/gen/_template/cfg.tmpl

Lines 258 to 265 in 4182357

// WithMethodNotAllowed specifies Method Not Allowed handler to use.
func WithMethodNotAllowed(methodNotAllowed func(w http.ResponseWriter, r *http.Request, allowed string)) ServerOption {
return optionFunc[serverConfig](func(cfg *serverConfig) {
if methodNotAllowed != nil {
cfg.MethodNotAllowed = methodNotAllowed
}
})
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tdakkota @Russia9 and others