Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requireSession breaks CORS #41

Open
andrewresearch opened this issue Aug 8, 2017 · 3 comments
Open

requireSession breaks CORS #41

andrewresearch opened this issue Aug 8, 2017 · 3 comments

Comments

@andrewresearch
Copy link

My CORS configuration works perfectly until I use requireSession. I have tried many different configurations with no success in getting both CORS and Sessions working together. I'm guessing that requireSession overwrites headers that I set for CORS, but I am uncertain of this. Any suggestions?
@adamw
Copy link
Member

adamw commented Aug 8, 2017

Do you mean the requiredSession directive? It would be weird if it broke anything, as it basically reads data from the headers. Unless you have refreshable sessions and the session is re-created from a token?

It would be helpful if you could post a code snippet demonstrating the problem.

@andrewresearch
Copy link
Author

andrewresearch commented Aug 9, 2017
edited
Loading

Yes, sorry. This is how I set it up. Adding requiredSession(oneOff,usingHeaders) effectively nullified my CORS setting. If I get the headers manually myself, CORS works as expected. I'm using akka-http-cors to implement CORS. Note, I tried both refreshable and oneOff, in combination with usingHeaders and usingCookies.

val sessionConfig = SessionConfig.default(SessionUtil.randomServerSecret())
  implicit val sessionManager = new SessionManager[String](sessionConfig)
  implicit val refreshTokenStorage = new InMemoryRefreshTokenStorage[String] {
    def log(msg: String) = System.out.println(msg)
  }

  def sessionSet(session: String) = setSession(oneOff, usingHeaders, session)

  val sessionRequired = requiredSession(oneOff, usingHeaders)

@adamw
Copy link
Member

adamw commented Aug 9, 2017

Hm, well in the oneOff case, the only thing that requiredSession does is reading a header value, otherwise the context is unchanged. In your tests, is the session properly decoded during the request? Maybe the session header isn't set and the request is rejected because there's no session?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamw @andrewresearch