Things to get around CORS pre-flight request. Allow Jwt token to be passed via "access_token" query stirng param. Allow JSON body content to be parsed as "text/plain" content type.

2025-01-10 20:07:56 +01:00 · 2016-07-13 18:37:14 -04:00 · 2016-07-13 18:37:14 -04:00 · f6ee916d7b
commit f6ee916d7b
parent 0582eb73db
3 changed files with 20 additions and 2 deletions
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -22,6 +22,9 @@ using StackExchange.Redis.Extensions.Core;
 using StackExchange.Redis.Extensions.Newtonsoft;
 using Loggr.Extensions.Logging;
 using Newtonsoft.Json;
+using System.Linq;
+using Microsoft.AspNetCore.Mvc.Formatters;
+using Microsoft.Net.Http.Headers;

 namespace Bit.Api
 {
@ -136,7 +139,8 @@ namespace Bit.Api
            // Cors
            services.AddCors(config =>
            {
-                config.AddPolicy("All", policy => policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin());
+                config.AddPolicy("All", policy =>
+                    policy.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().SetPreflightMaxAge(TimeSpan.FromDays(1)));
            });

            // MVC
@ -144,6 +148,9 @@ namespace Bit.Api
            {
                config.Filters.Add(new ExceptionHandlerFilterAttribute());
                config.Filters.Add(new ModelStateValidationFilterAttribute());
+                // Allow JSON of content type "text/plain" to avoid cors preflight
+                config.InputFormatters.OfType<JsonInputFormatter>().SingleOrDefault()?
+                    .SupportedMediaTypes.Add(MediaTypeHeaderValue.Parse("text/plain"));
            });
        }

--- a/src/Core/Identity/JwtBearerAppBuilderExtensions.cs
+++ b/src/Core/Identity/JwtBearerAppBuilderExtensions.cs
@ -49,7 +49,8 @@ namespace Bit.Core.Identity
            options.Events = new JwtBearerEvents
            {
                OnTokenValidated = JwtBearerEventImplementations.ValidatedTokenAsync,
-                OnAuthenticationFailed = JwtBearerEventImplementations.AuthenticationFailedAsync
+                OnAuthenticationFailed = JwtBearerEventImplementations.AuthenticationFailedAsync,
+                OnMessageReceived = JwtBearerEventImplementations.MessageReceivedAsync
            };

            app.UseJwtBearerAuthentication(options);
--- a/src/Core/Identity/JwtBearerEventImplementations.cs
+++ b/src/Core/Identity/JwtBearerEventImplementations.cs
@ -49,5 +49,15 @@ namespace Bit.Core.Identity

            return Task.FromResult(0);
        }
+
+        public static Task MessageReceivedAsync(MessageReceivedContext context)
+        {
+            if(!context.Request.Headers.ContainsKey("Authorization"))
+            {
+                context.Token = context.Request.Query["access_token"];
+            }
+
+            return Task.FromResult(0);
+        }
    }
 }