Solicitação de logout de aplicativo web com problemas de CORS

Suporte
1

Olá a todos, obrigado ao Discourse, achei que a configuração era bem fácil, até este ponto.

Tenho uma configuração de SSO que funciona bem com meu aplicativo web, no entanto, quando aciono o endpoint admin/users/:id/logout, ele não funciona a partir do aplicativo web.

Por alguma razão, ele aceita um cURL sem problemas:

 curl 'http://localhost/admin/users/2/log_out' \
  -X 'POST' \
  -H 'Api-Key: <>' \
  -H 'Content-Type: multipart/form-data;' -v

*   Trying 127.0.0.1:80...
* Connected to localho.st (127.0.0.1) port 80 (#0)
> POST /admin/users/2/log_out HTTP/1.1
> Host: localho.st
> User-Agent: curl/7.77.0
> Accept: */*
> Api-Key: <>
> Content-Type: multipart/form-data;
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Status: 200 OK
< Cache-Control: no-cache, no-store
< Access-Control-Allow-Origin: http://localhost:3000
< Vary: Accept
< Referrer-Policy: strict-origin-when-cross-origin
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 1; mode=block
< X-Request-Id: 26dfcbf6-497c-45db-8e3d-17aef9ba812c
< X-Discourse-Route: users/log_out
< Access-Control-Allow-Headers: Content-Type, Cache-Control, X-Requested-With, X-CSRF-Token, Discourse-Present, User-Api-Key, User-Api-Client-Id, Authorization
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE
< X-Download-Options: noopen
< X-Runtime: 0.190266
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-Discourse-Username: emurillo
< Date: Tue, 30 Nov 2021 21:12:58 GMT
< X-Powered-By: Phusion Passenger(R) 6.0.10
< Server: nginx/1.20.1 + Phusion Passenger(R) 6.0.10
<
* Connection #0 to host localho.st left intact
{"success":"OK"}

e os logs do servidor:

Started POST "/admin/users/2/log_out" for 172.18.0.1 at 2021-11-30 21:12:58 +0000
Processing by Admin::UsersController#log_out as */*
  Parameters: {"user_id"=>"2"}
Can't verify CSRF token authenticity.
Completed 200 OK in 75ms (Views: 0.9ms | ActiveRecord: 0.0ms | Allocations: 2350)

Mas então, quando tento a partir do aplicativo web:

axios.post('http://localhost/admin/users/2/log_out', {}, {
  headers: {
    'User-Api-Key': '<>',
    'Content-Type': 'multipart/form-data'
  }
});

os logs do servidor mostram:

Started POST "/admin/users/2/log_out" for 172.18.0.1 at 2021-11-30 21:08:26 +0000
ActionController::RoutingError (No route matches [POST] "/admin/users/2/log_out")

Mais algumas evidências:

Screen Shot 2021-11-30 at 15.10.37
Screen Shot 2021-11-30 at 15.10.371236×382 56.4 KB

xxxxxxxxxxx
Screen Shot 2021-11-30 at 15.11.13
Screen Shot 2021-11-30 at 15.11.13996×276 57.7 KB

xxxxxxxxxxx
Screen Shot 2021-11-30 at 15.11.51
Screen Shot 2021-11-30 at 15.11.51662×439 52.4 KB

2

O que você quer dizer com “do aplicativo web”. Você está tentando chamar este endpoint da API do JavaScript do front-end? Isso exporia a chave de API de administrador.

3

Está certo, queria verificar primeiro no front-end, mas se você recomenda configurar um endpoint no meu servidor para lidar com o logout (e não há caminho mais curto para isso) seguirei seu conselho.

1 curtida
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.