first things first:we develop our own RestAPI in ColdFusion with follwing headers:
cfheader (name="Access-Control-Allow-Origin", value="*");cfheader (name="Access-Control-Allow-Headers", value="*");cfheader (name="Access-Control-Allow-Methods", value="GET, POST, PUT, HEAD, OPTIONS");cfheader (name="Access-Control-Allow-Credentials", value="true");The webserver allows all headers and methods - i've asked our sysadmins.
we are coding an angular(18) app (not soo much experience with angular).We use an interceptor to add the headers.
Our Login is working (post, no auth-header..) in postman & browsers!
After successfull login are two get-calls and here is my understanding-problem:
a)Without the authorization-header the request is returning 200 ok and the response is as we want (we exclude the needed authorization-part in the api and return the content).Working Postman AND browsers!
b)With the authorization-header and a valid token and working authorization-logic is only postman getting a valid response, the browsers are showing an 500er CORS error in the OPTIONS and the GET request.
My question:why?i have compared the headers from working-get and the not-working-get-calls - nearly the same.
can someone explain what causes this behaviour?do the browsers follwing the cors-rules more strictly ? But why does it work without an added header (it doesnt matter how i name it!)?
this is our intercepter:
if (req.headers.has('no-auth')) { req = req.clone({ headers: req.headers.delete('no-auth', 'true'), setHeaders: { Accept: 'application/json' }, }); return next(req); } else { /* Token: */ let Token = localStorage.getItem('Token') ? localStorage.getItem('Token') : ''; const auth_headers = req.headers.set('Authorization', `${Token}`); // Clone the request and add the authorization header const authReq = req.clone({/*auth_headers*/}); return next(authReq); }...yes the interceptor not finished...
thanks in advance for any help!! :-)
Uwe
EDIT:
- angular is running on localhost
- I think the problem is somewhere in the OPTIONS-preflight... so this are die API-Headers at the moment:
// Handle CORS preflight requestif (cgi.request_method == "OPTIONS") { cfheader(name="Access-Control-Allow-Origin", value="http://localhost:4004"); cfheader(name="Access-Control-Allow-Headers", value="Content-Type, Authorization"); cfheader(name="Access-Control-Allow-Methods", value="GET, POST, PUT, DELETE, OPTIONS"); cfheader(name="Access-Control-Allow-Credentials", value="true"); cfheader(statuscode="200", statustext="OK"); cfexit();}// Your actual API logic herecfheader(name="Access-Control-Allow-Origin", value="*");cfheader(name="Access-Control-Allow-Headers", value="*");cfheader(name="Access-Control-Allow-Methods", value="GET, POST, PUT, DELETE, OPTIONS");cfheader(name="Access-Control-Allow-Credentials", value="true");
