Comments (4)
Hi @nfadili
It is my understanding that the cors middleware doesn't affect this. Whether it comes before or after the auth middleware, it is only ever attaching CORS related headers to responses, nothing more. Please let me know if I am incorrect there!
The default value for
preflightContinue
isfalse
(see https://expressjs.com/en/resources/middleware/cors.html#configuration-options) which means that preflight requests will terminate at the cors middleware by default.Also, the cors middleware docs recommend you put the cors middleware before other routes (see https://expressjs.com/en/resources/middleware/cors.html#enabling-cors-pre-flight). Which is what we do in the example app https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/examples/express-api.ts#L20
Ahhhh I see now. Thanks for the explanation and links, the current behavior makes total sense 👍 please feel free to close this out! 👍
from node-oauth2-jwt-bearer.
Hi @nfadili - thanks for raising this
I see what you mean and I know we put some logic in express-jwt
to handle this, but I'd rather just expect the user to put their cors handling middleware before their auth handling, this seems more logical to me than making it possible to put them out of order.
app.use(cors());
app.use(auth());
I also feel a little uncomfortable about letting the request decide if it should bypass authentication checks (although this is probably overkill)
from node-oauth2-jwt-bearer.
Hey @adamjmcgrath thanks for the quick reply!
It is my understanding that the cors
middleware doesn't affect this. Whether it comes before or after the auth
middleware, it is only ever attaching CORS related headers to responses, nothing more. Please let me know if I am incorrect there! In my mind, the root of the issue is that the auth
middleware checks for credentials (in headers, body, and query) for every request it is ran for. Requests that are CORS-preflight OPTIONS requests will not contain credentials because the CORS spec advises against it, so the example usages that show app.use(auth({...})
will not work with cross-origin requests.
I do agree that it makes sense for this lib to not be opinionated on what requests to bypass auth on 😄 so I think the existing behavior makes sense! It is an important behavioral difference from the last lib Auth0 maintained (express-jwt
) so hopefully this will help someone out if they are going through the migration!
from node-oauth2-jwt-bearer.
Hi @nfadili
It is my understanding that the cors middleware doesn't affect this. Whether it comes before or after the auth middleware, it is only ever attaching CORS related headers to responses, nothing more. Please let me know if I am incorrect there!
The default value for preflightContinue
is false
(see https://expressjs.com/en/resources/middleware/cors.html#configuration-options) which means that preflight requests will terminate at the cors middleware by default.
Also, the cors middleware docs recommend you put the cors middleware before other routes (see https://expressjs.com/en/resources/middleware/cors.html#enabling-cors-pre-flight). Which is what we do in the example app https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/examples/express-api.ts#L20
from node-oauth2-jwt-bearer.
Related Issues (20)
- Proxy Configuraton Broken/HTTP(S) Agent not being passed on JWKSet Creation HOT 2
- [docs] 404 error in the GitHub Pages documentation when clicking on a class or an interface HOT 1
- "nbf" claim timestamp check failed HOT 1
- 500 Error thrown when deployed to GCP App Engine HOT 3
- Getting AssertionError You must provide a 'tokenSigningAlg' for validating symmetric algorithms despite not providing a secret key value pair. HOT 6
- Node 21.5 support HOT 3
- InvalidTokenError: Failed to fetch authorization server metadata HOT 1
- publicKey without discovery HOT 1
- Crashed my express server. HOT 1
- Is it possible to use this with JWE encrypted access token?
- Audience Checking shouldn't be forced
- Add support for node 18 HOT 3
- Supported engines does not include the latest node LTS, 18.12.0 HOT 2
- Proposal: add support for `scopesIncludesAny` HOT 3
- [docs] Node.js 18 support HOT 1
- Document upgrade path from "express-jwt" + "jwks-rsa" HOT 1
- [example] How to write unit tests for our Express APIs with canned JWTs? HOT 1
- [express-oauth2-jwt-bearer] What is the best practice to allow request to go through despite token being unauthorized? HOT 4
- Unable to recovery from temporarily unavailable discovery document HOT 4
- [docs] API documentation of auth middleware should mention "req.auth"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-oauth2-jwt-bearer.