Skip to content

Endpoint /login/oauth/access_token doesn't return Access-Control-Allow-Methods #7204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
6 tasks
esfraner opened this issue Jun 14, 2019 · 6 comments · Fixed by #14850
Closed
6 tasks

Endpoint /login/oauth/access_token doesn't return Access-Control-Allow-Methods #7204

esfraner opened this issue Jun 14, 2019 · 6 comments · Fixed by #14850
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/enhancement An improvement of existing functionality

Comments

@esfraner
Copy link

  • Gitea version (or commit ref): bd55f6f
  • Git version: 2.11.0
  • Operating system: Linux debian
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • [x ] Not relevant
  • Log gist:

Description

Endpoint /login/oauth/access_token doesn't return Access-Control-Allow-Methods and give me CORS problem.
...

Screenshots

Screenshot_20190614_130928

....

Screenshot_20190614_1259032222
@lunny lunny added the type/enhancement An improvement of existing functionality label Jun 14, 2019
@zeripath
Copy link
Contributor

What should it return exactly?

@esfraner
Copy link
Author

esfraner commented Jun 14, 2019
edited
Loading

@zeripath, as you can see, in this GET method, appears Access-Control-Request-Method with its method:
(No problem with the error 403, I only have to make a test OPTIONS request to show).

Screenshot_20190615_010914

Then the request that I did to endpoint /login/oauth/access_token should have this header.

@stale
Copy link

stale bot commented Aug 13, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale stale bot added the issue/stale label Aug 13, 2019
@lunny lunny added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Aug 14, 2019
@stale stale bot removed the issue/stale label Aug 14, 2019
@tonivj5 tonivj5 mentioned this issue Aug 24, 2019
Closed
@sebastianwindeck
Copy link

Is this issue solved?
I tried to access the endpoint from another resource for dev purpose
with [cors] enabled. I would like to enable cors for the endpoint:
/login/oauth/access_token.

How can I enable gitea in the config file app.ini to set the header:

    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

@zeripath
Copy link
Contributor

zeripath commented Mar 1, 2021

Hmm

I think we might need a block like

gitea/routers/api/v1/api.go

Lines 556 to 563 in a3cc842

m.Use(cors.Handler(cors.Options{
//Scheme: setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
AllowedOrigins: setting.CORSConfig.AllowDomain,
//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
AllowedMethods: setting.CORSConfig.Methods,
AllowCredentials: setting.CORSConfig.AllowCredentials,
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
}))

For those Auth routes

gitea/routers/routes/web.go

Lines 385 to 391 in 73a093d

m.Group("/login/oauth", func() {
m.Get("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth)
m.Post("/grant", bindIgnErr(auth.GrantApplicationForm{}), user.GrantApplicationOAuth)
// TODO manage redirection
m.Post("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth)
}, ignSignInAndCsrf, reqSignIn)
m.Post("/login/oauth/access_token", bindIgnErr(auth.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth)

It will need a little bit of thought to know which need it.

zeripath added a commit to zeripath/gitea that referenced this issue Mar 2, 2021
@zeripath
Add CORS config on to /login/oauth/access_token endpoint
d3f61a3 
Fix go-gitea#7204

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this issue Mar 2, 2021
Merged
@zeripath
Copy link
Contributor

zeripath commented Mar 2, 2021

@esfraner @sebastianwindeck Would you be able to try #14850 to see if that fixes your issue?

lafriks added a commit that referenced this issue Mar 4, 2021
@zeripath @6543 @lafriks
Add CORS config on to /login/oauth/access_token endpoint (#14850)
0044e80 
Fix #7204

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: 6543 <[email protected]>
Co-authored-by: Lauris BH <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators May 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add CORS config on to /login/oauth/access_token endpoint zeripath/gitea
4 participants
@lunny @zeripath @esfraner @sebastianwindeck