Implement OPTIONS endpoints to check available methods about flask-restplus-server-example HOT 7 CLOSED

@tonymobster I'm working on workaround for preflight requests, haven't committed yet.

Here is the working piece of code that is fixing the problem.

You should replace route method in flask_restplus_patched/namespace.py (in the bottom):

@staticmethod
def preflight_options_handler(func):
    def decorator(*args, **kwargs):
        if (
            'Access-Control-Request-Headers' in flask.request.headers
            and
            'Access-Control-Request-Method' in flask.request.headers
            ):
            # TODO add response headers to return available methods
            return flask.Response(status=HTTPStatus.OK)
        func(*args, **kwargs)
    return decorator


def route(self, *args, **kwargs):
    base_wrapper = super(Namespace, self).route(*args, **kwargs)
    def wrapper(cls):
        if 'OPTIONS' in cls.methods:
            cls.options = self.preflight_options_handler(
                    self.response(code=HTTPStatus.NO_CONTENT)(cls.options)
                )
        return base_wrapper(cls)
    return wrapper

Please, fill free to ping me if you need anything else :)

from flask-restplus-server-example.

Where do I set additional CORS headers, e.g. Access-Control-Allow-Origin?

There are three options:

1. Set them on the reverse proxy (e.g. Nginx): https://github.com/frol/flask-restplus-server-example/blob/master/deploy/stack1/revproxy/conf.d/default.conf#L10
2. Set them on individual endpoints using @flask_restplus.cors.crossdomain decorator: https://github.com/noirbizarre/flask-restplus/blob/master/tests/test_cors.py (tests are the best examples ;))
3. Extend the @Namespace.route implementation (there is already a custom Namespace implementation in app/extensions/api/namespace.py specifically to serve such use-cases) adding the headers automatically to all your endpoints.

And can you clarify # TODO add response headers to return available methods?

@khorolets's current implementation always returns HTTP/200 OK, but it will be just nicer to also return Allow header with only implemented methods (it is not hard, but we just need to bootstrap another project before we can change our focus back to the API server)

from flask-restplus-server-example.

@khorolets Please, take a look at this (notice the "permissions check" part). This should be a part of Flask-RESTplus, so I suggest you "patch" Resource (inherit and switch all direct uses) with def options method. Meanwhile, I will try to come up with new tasks special for you.

from flask-restplus-server-example.

I would like the default implementation of OPTIONS would be quite basic (though it will be still challenging to implement it), the response will need to check if current user can access the endpoint with certain method types, so the possible response might be:

1. Not authenticated user (POST is used for sign up):

   OPTIONS /users/
   
   204 OK
   Allow: POST
   

2. Authenticated user:

   OPTIONS /users/
   
   204 OK
   Allow: GET, POST
   

3. Imagine that only admins can delete users, and here is the output for admin as a current user:

   OPTIONS /users/
   
   204 OK
   Allow: GET, POST, DELETE
   

from flask-restplus-server-example.

How do I disable authentication for the OPTIONS requests? Currently it needs the authorization header to be set but for preflight requests the browser doesn't set the request header, i.e.

`Accept:/

Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers:authorization
Access-Control-Request-Method:GET
Connection:keep-alive
DNT:1
Host:localhost:5000
Origin:http://localhost:3000
Referer:http://localhost:3000/start
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36`

from flask-restplus-server-example.

I'll try that later and feedback. 2 quick question. Where do I set additional CORS headers, e.g. Access-Control-Allow-Origin? And can you clarify # TODO add response headers to return available methods?

Thanks @khorolets

from flask-restplus-server-example.

@tonymobster The code I had shared has been refactored a little bit, please have a look at pull request

/cc @frol

from flask-restplus-server-example.