Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPC Server: Basic Authentication doesn't work with CORS #811

Closed
cschuchardt88 opened this issue Aug 18, 2023 · 0 comments · Fixed by #812
Closed

RPC Server: Basic Authentication doesn't work with CORS #811

cschuchardt88 opened this issue Aug 18, 2023 · 0 comments · Fixed by #812

Comments

@cschuchardt88
Copy link
Member

cschuchardt88 commented Aug 18, 2023
edited
Loading

Describe the bug
You allow CORS on RPC Server, but do not allow "Access-Control-Allow-Credentials" if there is basic auth enabled. You do not follow the specification. In short the browser isn't sending the credentials for the login, cause of CORS is not configured right on RPC server.

neo-modules/src/RpcServer/RpcServer.cs

Line 161 in 99ffc84

context.Response.Headers["Access-Control-Allow-Origin"] = "*";

Also note The CORS specification states that setting origins to "*" (all origins) is invalid if the Access-Control-Allow-Credentials header is present.

To Reproduce
Steps to reproduce the behavior:

  1. enable config.json with RpcUser and RpcPass
  2. open devtools in an browser
  3. type fetch('http://127.0.0.1:20332/?jsonrpc=2.0&id=1&method=getapplicationlog&params=[%220x632158b854f3e9cf132ba20b4aacbd5066bb9c330fe1a53a51d1a38c66fd175a%22]'); in console.

image

Expected behavior
CORS to work with basic auth enabled.

Platform:

  • RPC (HTTP)
@cschuchardt88 cschuchardt88 changed the title RPC Server: Basic Auth with no CORS Access-Control-Allow-Credentials RPC Server: Basic Authentication doesn't work with CORS Aug 19, 2023
This was referenced Aug 28, 2023
Merged
Open
@roman-khimov roman-khimov mentioned this issue Sep 14, 2023
Closed
@Jim8y Jim8y closed this as completed in #812 Jan 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

RcpServer: Fixed CORS and Basic Auth cschuchardt88/neo-modules
1 participant
@cschuchardt88