An Angularjs app is using a new connection to an AWS API GW service on a different domain. CORS has been enabled but am still getting error:
Access to XMLHttpRequest at 'https://api.ap-southeast-2.amazonaws.com/prod/api1' from origin 'https://angularapp.host' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
It fails before this:
return $http.get(AWS_API_GW_Server, headers).then(function (res) {
I tried configuring CORS in the nssm/nginx config also but still have same issue. Only way I could resolve it was by creating a new Chrome shortcut as follows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=C:/temp
How can I fix this properly in either Angularjs app or NGinx?
Angularjs snippets
.run(function ($rootScope, AUTH_EVENTS, AuthService) {
$rootScope.$on('$routeChangeStart', function (event, next) {
var authorizedRoles = next.data.authorizedRoles;
//console.log('routeChangeStart: ' + authorizedRoles);
if (!AuthService.isAuthorized(authorizedRoles)) {
var auth = AuthService.isAuthorized(authorizedRoles);
event.preventDefault();
if (AuthService.isAuthenticated()) {
// user is not allowed
$rootScope.$broadcast(AUTH_EVENTS.notAuthorized);
} else {
// user is not logged in
$rootScope.$broadcast(AUTH_EVENTS.notAuthenticated);
}
}
});
})
Auth service login function
authService.login = function (credentials) {
var base64Token = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(credentials.userName + ':' + credentials.password));
var headers = { headers: {'Authorization': 'Basic '+ base64Token} };
return $http.get(AuthenticationServer, headers)
.then(function (res) {
console.log("response isAuthenticated: " + res.data.isAuthenticated);
var userRole = ""
if (res.data.isAuthenticated == 'true') {
var memberOfList = res.data.memberOf
var groupa= "removed"
var groupb= "removed"
if(memberOfList.includes(groupa) || memberOfList.includes(groupb)) {
userRole = USER_ROLES.admin
Session.create(credentials.userName, USER_ROLES.admin);
} else {
userRole = USER_ROLES.guest
Session.create(credentials.userName, USER_ROLES.guest);
}
return { user: res.data.fullName, auth : true, role : userRole};
} else {
return { user: credentials.userName, auth : false, role : userRole };
}
})
};
Nginx config snippet
server {
listen 443 ssl;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root D:/apppath/app;
index index.html /app/index.html;
location / {
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin"; # DO NOT remove THIS LINES (doubled with outside 'if' above)
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Max-Age' 1728000; # cache preflight value for 20 days
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin';
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
try_files $uri $uri/ /index.html;
}
UPDATE - network tab info
preflight OPTIONS request appears to be successful and has been enabled on the AWS API GW resource.
Response headers from OPTIONS call appear OK too
Regardless, the actual service call throws a CORS error, presumably because the Host (AWS target API) and Origin headers are different. With chrome hack above this works so issue appears to be browser based but can't see how else to override this.
Access to XMLHttpRequest at 'AWS target endpoint' from origin 'Where Angularjs UI is based' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.