auth middleware expects credentials for CORS-preflight requests about node-oauth2-jwt-bearer HOT 4 CLOSED

Hi @nfadili

It is my understanding that the cors middleware doesn't affect this. Whether it comes before or after the auth middleware, it is only ever attaching CORS related headers to responses, nothing more. Please let me know if I am incorrect there!

The default value for preflightContinue is false (see https://expressjs.com/en/resources/middleware/cors.html#configuration-options) which means that preflight requests will terminate at the cors middleware by default.

Also, the cors middleware docs recommend you put the cors middleware before other routes (see https://expressjs.com/en/resources/middleware/cors.html#enabling-cors-pre-flight). Which is what we do in the example app https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/examples/express-api.ts#L20

Ahhhh I see now. Thanks for the explanation and links, the current behavior makes total sense 👍 please feel free to close this out! 👍

from node-oauth2-jwt-bearer.

Hi @nfadili - thanks for raising this

I see what you mean and I know we put some logic in express-jwt to handle this, but I'd rather just expect the user to put their cors handling middleware before their auth handling, this seems more logical to me than making it possible to put them out of order.

app.use(cors());
app.use(auth());

I also feel a little uncomfortable about letting the request decide if it should bypass authentication checks (although this is probably overkill)

from node-oauth2-jwt-bearer.

Hey @adamjmcgrath thanks for the quick reply!

It is my understanding that the cors middleware doesn't affect this. Whether it comes before or after the auth middleware, it is only ever attaching CORS related headers to responses, nothing more. Please let me know if I am incorrect there! In my mind, the root of the issue is that the auth middleware checks for credentials (in headers, body, and query) for every request it is ran for. Requests that are CORS-preflight OPTIONS requests will not contain credentials because the CORS spec advises against it, so the example usages that show app.use(auth({...}) will not work with cross-origin requests.

I do agree that it makes sense for this lib to not be opinionated on what requests to bypass auth on 😄 so I think the existing behavior makes sense! It is an important behavioral difference from the last lib Auth0 maintained (express-jwt) so hopefully this will help someone out if they are going through the migration!

from node-oauth2-jwt-bearer.

Hi @nfadili

It is my understanding that the cors middleware doesn't affect this. Whether it comes before or after the auth middleware, it is only ever attaching CORS related headers to responses, nothing more. Please let me know if I am incorrect there!

The default value for preflightContinue is false (see https://expressjs.com/en/resources/middleware/cors.html#configuration-options) which means that preflight requests will terminate at the cors middleware by default.

Also, the cors middleware docs recommend you put the cors middleware before other routes (see https://expressjs.com/en/resources/middleware/cors.html#enabling-cors-pre-flight). Which is what we do in the example app https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/examples/express-api.ts#L20

from node-oauth2-jwt-bearer.