Compatibility with CI CORS feature

[tomatlscomm]

Hello All.

Since version 4.5.0, CI introduced CORS support. With this functionnality we can handle Access-Control-Allow-Origin header pretty easily.
However i have noticed that the associated filter seems not to work when user with shield token filter :

When a request with a bad token is done, the response build by shield does not contain the Access-Control-Allow-Origin header -> the request response is then not accessible to script.

Have i missed something ?

[tomatlscomm]

After a few test, i can handle the situation, by creating a custom token filter :

namespace App\Filters;

use CodeIgniter\Filters\FilterInterface;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\RedirectResponse;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\Response;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\Shield\Authentication\Authenticators\AccessTokens;

use CodeIgniter\HTTP\Cors as CorsService;

class TokenAuthWithCorsSupport implements FilterInterface
{
    public function before(RequestInterface $request, $arguments = null)
    {
        if (! $request instanceof IncomingRequest) {
            return;
        }
    
        /** @var AccessTokens $authenticator */
        $authenticator = auth('tokens')->getAuthenticator();
    
        $result = $authenticator->attempt([
            'token' => $request->getHeaderLine(setting('Auth.authenticatorHeader')['tokens'] ?? 'Authorization'),
        ]);
    
        if (! $result->isOK() || (! empty($arguments) && $result->extraInfo()->tokenCant($arguments[0]))) {
          
          
          $response = service('response')
              ->setStatusCode(Response::HTTP_UNAUTHORIZED)
              ->setJson(['message' => lang('Auth.badToken')]);
              
          
          $this->cors ??= ($arguments === null) ? CorsService::factory()
          : CorsService::factory($arguments[0]);
          $response = $this->cors->addResponseHeaders($request, $response);
          
          return $response;
        }
    
        if (setting('Auth.recordActiveDate')) {
            $authenticator->recordActiveDate();
        }
    
        // Block inactive users when Email Activation is enabled
        $user = $authenticator->getUser();
        if ($user !== null && ! $user->isActivated()) {
            $authenticator->logout();
    
            return service('response')
                ->setStatusCode(Response::HTTP_FORBIDDEN)
                ->setJson(['message' => lang('Auth.activationBlocked')]);
        }
    }

    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
    {
        // Do something here
    }
}

Does this make sense to you folks ?

[kenjis]

You are correct.

Cors after filter adds CORS headers.
TokenAuth before filter returns the response if a request with a bad token comes.
Therefore, no CORS headers would be added in the response.

[tomatlscomm]

OK, thank you for your answer.

This can then be bypassed by using a custom filter reproducing Token filter and checking CORS configuration before sending the response.
I think it would be great that Shield filter support CORS in the futur. I have moved this topic into "idea".

Regards