No worries about asking questions, that’s why we’re here. There’s no fixed answer to what config is needed for OPTIONS and CORS as that depends on your API. You need to enable access to the different HTTP verbs and any headers you’re going to use with your API.
For example, in our petstore, running: curl -I http://petstore.swagger.io/v2/swagger.json Results in: HTTP/1.1 200 OK Date: Thu, 19 Jan 2017 21:05:25 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, DELETE, PUT Access-Control-Allow-Headers: Content-Type, api_key, Authorization Content-Type: application/json Content-Length: 0 Connection: close Server: Jetty(9.2.9.v20150224) You’ll notice the `api_key` header on the list because the pet store sample uses a header with that name. On 19/01/2017, 12:22, "Morgan, Hunter" <[email protected]> wrote: I’m sorry if I’m about to ask things that I just need to research, but with respect to the swagger ui, what is the required participation/capability/access config of options requests, and what is the context for those requests being made? --- Hunter Morgan Data Platform Engineering 540 391 0440 [email protected] > On Jan 19, 2017, at 3:19 PM, Ron Ratovsky <[email protected]> wrote: > > Hi Rich, > > So yeah, that is an indicator of a CORS issue, but it could be something slightly else. > You’re getting 401 Unauthorized on OPTIONS – and you shouldn’t OPTIONS calls should never require authorization. > That could be a hint as to what to look into. > > > > From: "Morrisey, Richard" <[email protected]> > Date: Thursday, 19 January 2017 at 7:46 > To: Ron Ratovsky <[email protected]>, "[email protected]" <[email protected]> > Cc: "Morgan, Hunter" <[email protected]> > Subject: Re: cors/authentication headers > > Sorry Ron, I am working on old fashioned email time rather than IM L See the screen capture below. I don’t believe I am exposing any sensitive info. > > > See screenshot<image001.png> > > I already had that open. > > > From: Ron Ratovsky <[email protected]> > Date: Wednesday, January 18, 2017 at 4:56 PM > To: "Morrisey, Richard" <[email protected]>, "[email protected]" <[email protected]> > Cc: "Morgan, Hunter" <[email protected]> > Subject: Re: cors/authentication headers > > Hi Rich, > > Thanks for the extra details. > We could definitely use better error handling (and we’re working on that, I promise). > It does indeed sound like a CORS issue, but let’s verify that’s the issue first. > > Can you open your browser’s web console, switch to the network tab, and then execute the call? > Following what you see there, we can (hopefully) proceed. > > > > From: "Morrisey, Richard" <[email protected]> > Date: Wednesday, 18 January 2017 at 12:53 > To: Ron Ratovsky <[email protected]>, "[email protected]" <[email protected]> > Cc: "Morgan, Hunter" <[email protected]> > Subject: Re: cors/authentication headers > > Ron, > > I originally had this issue. I installed swagger-editor 20.10.4 on osx 10.11.6 (my laptop), from github using the online documentation. > I have a request that requires basic authentication. > > My security section looks like: > > securityDefinitions: > userSecurity: > type: basic > description: HTTP Basic Authentication. Works over `HTTP` and `HTTPS` > > My path looks like: > /v2/data/clusters: > get: > security: > - userSecurity: [] > description: | > Returns a list of provisioned clusters > responses: > 200: > description: Cluster JSON > I enter my credentials in the rendered control panel and get a green checkmark. I click ‘Try this Operation’ on the indicated path, then ‘send request’. Then I see ‘ERROR Server not found or an error occurred’. (‘or an error occurred’ seems to wipe out the specificity of ‘Server not found’). I’m pretty sure the server is being resolved in an earlier path/request that does not need basic auth, there is no problem getting to the server. However, I do note that there is no ‘Authorization:’ header in the request for this path even though I am specifying security. > > We also have a warning about CORS. This may be a red-herring. > > Thanks for any help. > Rich > > > From: Ron Ratovsky <[email protected]> > Date: Wednesday, January 18, 2017 at 3:05 PM > To: "[email protected]" <[email protected]> > Cc: "Morgan, Hunter" <[email protected]>, "Morrisey, Richard" <[email protected]> > Subject: Re: cors/authentication headers > > Hi Hunter, > > Replied to you on IRC. > It’s unclear what the actual problem is. You’re describing the solution you tried, but not what you experienced and what you’re trying to solve. > So, what’s the original issue? > > > > From: <[email protected]> on behalf of hunter morgan <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Wednesday, 18 January 2017 at 9:07 > To: Swagger <[email protected]> > Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> > Subject: cors/authentication headers > > this copies something from IRC. just want to make sure it didn't get lost. > > hey a teammate and i were unable yesterday to get a locally running swagger-editor to supply authentication to an api we were trying to test. i tried adding config from http://enable-cors.org/server_nginx.html, specifically the contents of one of the second two if blocks, because nginx complained at the inclusion of ifs. must have something to do with the structure. maybe because it's reverse proxying back to a node restify api? I also tried http://enable-cors.org/server_expressjs.html on the node api, but still no love. the nginx and api are live, in another castle, so i suspect it's cors tripping us up. > the import proxy setting, is that just for spec import, not for proxying try it out requests? i tried starting a local cors-it and using that in that config section as well, but it didn't seem to change anything. > -- > You received this message because you are subscribed to the Google Groups "Swagger" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > > > > The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. > > The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. > <image001.png> ________________________________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. -- You received this message because you are subscribed to the Google Groups "Swagger" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
