CORS header ‘Access-Control-Allow-Origin’ missing if http status code is not 200

hassansardarlecodeur · July 14, 2022, 5:47pm

I am using restivus plugin to handle my Api Requests.

The issue I am facing is:

If Api returns 200 status code, everything works fine.

But if I send invalid Authentication Bearer Token in header or if any error returns from API, e.g 422, 401, 400 … etc, my ajax request fails and gives this error:

CORS header ‘Access-Control-Allow-Origin’ missing

Here is my restivus confiqurations:

myApi = new Restivus({

    apiPath: 'api/',
    defaultHeaders: {
      "Access-Control-Allow-Origin": "*",
      "Access-Control-Allow-Credentials": "true",
      "Access-Control-Allow-Headers": "Access-Control-Allow-Headers, Access-Control-Request-Method, Connection, Content-Language, Access-Control-Request-Headers, Origin, X-Requested-With, Content-Type, Accept-Language, Accept, Z-Key, Authorization, client-id, client-secret, client_id, client_secret",
      "Content-Type": "application/json",
      "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS"
    },
    enableCors: true,
    useDefaultAuth: false,
    prettyJson: true,
    defaultOptionsEndpoint: {
        action: function() {
            this.response.writeHead(201, {
                "Access-Control-Allow-Origin": "*",
                "Access-Control-Allow-Credentials": "true",
                "Access-Control-Allow-Headers": "Access-Control-Allow-Headers, Access-Control-Request-Method, Connection, Content-Language, Access-Control-Request-Headers, Origin, X-Requested-With, Content-Type, Accept-Language, Accept, Z-Key, Authorization, client-id, client-secret, client_id, client_secret",
                "Content-Type": "application/json",
                "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS"
            });
            this.done();
            return {
                status: "success",
                "data": {
                    "message": "We love OPTIONS"
                }
            };
        }
    }
});

Does anyone know what I am missing here?

paulishca · July 15, 2022, 6:30am

I suspect the server only returns the headers if the authentication is successful. The way I interpret it is 1:

your server did not return the CORS header to the client
the client did not send CORS header.

If the token authentication fails, I guess you only need to know that it failed. CORS is just another way/step of authentication.

hassansardarlecodeur · July 16, 2022, 7:17pm

So what is the way to return CORS to the client when any code except 200?

hassansardarlecodeur · July 16, 2022, 7:18pm

I dont know the right place to return CORS in case of 401, 422 etc