I'm doing an api server which (a) serves JSON and (b) handles the OAUTH2 dance with google / twitter / facebook, returning a token to the front-end server. The two servers are separate machines, and therefore have lots of CORS restrictions.
In general to deal with Cors, I use the cors node module - basically set up your policy and add it as middleware on the relevant routes. Pretty straightforward. I inject the token in an html file that results from the oauth2 dance being successful. The html file has an onLoad script that uses window.opener.postMessage to tell the original (angular) window that the login was successful and the value of the token. I recently gave a lightning talk at sf perl mongers about this - https://archive.org/details/sfperlmongerslightningtalks2014 (third video). Slides here: https://docs.google.com/presentation/d/1Drvrqu3W3SJb2_01HiDC5cGYGaA_O2_3hO8sACX9zcQ/edit?usp=sharing On Thu, May 22, 2014 at 9:18 AM, Jeff Hubbard <[email protected]> wrote: > > it does not contain the 'X-token' header. > > I don't see that header in the Access-Control-Allow-Headers header. You > won't be able to access said header, even if the server sends it back, > until that's fixed. > > > On Thursday, May 22, 2014 5:58:42 AM UTC-7, Tomas Kouba wrote: >> >> Hello, >> >> the API I'd like to use with angularjs uses token based authentication. >> I am trying to set up the CORS properly, but I am a bit lost. >> >> Can anybody please help me with the following example? >> >> The auth token is returned as a custom http header. In my example it is >> X-token header from http://tomaso.cz/token/token.html >> >> If my angularjs "app" is sitting at http://tomaso.cz/get_token.html >> (js code at http://tomaso.cz/app.js ) >> it works fine and I can print the token. >> >> If I want to launch the same code from localhost the browser (firefox >> 29.0) issues an OPTIONS method >> and gets (IMHO correct) headers: >> >> Access-Control-Allow-Origin: * >> access-control-allow-credentials: true >> access-control-allow-headers: x-account, accept, >> access-control-request-origin >> access-control-allow-methods: GET,OPTIONS >> >> >> After this the GET method is issued, but the angularjs "headers" object >> is empty (it does not >> contain the 'X-token' header. >> >> I have also tried to put the client on a different server than localhost >> and it does not work at all - the OPTIONS is >> issued but then browser complains: "Cross-Origin Request Blocked: The >> Same Origin Policy disallows reading the remote resource at >> http://tomaso.cz/token/token.html. This can be fixed by moving the >> resource to the same domain or enabling CORS." >> >> I think I have changed everything on the server side to switch CORS on. >> >> Thanks in advance for any suggestions. >> >> Cheers, >> Tomas >> > -- > You received this message because you are subscribed to the Google Groups > "AngularJS" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/angular. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
