CORS token authentification with devise token auth.
1
Not solved Solved
11 months ago

Hi all !

You like backend and security issues ? This one is for you ;)

Let's say we have app A and app B. App A is my backend, serving data on request to app B (my customer interface) via API. App B user is authenticated to app A with devise token auth.

For security reason, App A must accepts requests only from authorized origins. The setup is done using rack/cors gem. Therefore, in config.rb of AppA, I have :

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins "#{ENV['authorized_api_call_origin']}"
    resource '*',
      :headers => :any,
      :expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
      :methods => [:get, :post, :options, :delete, :put]
  end
end

In localhost eveything is working fine. In production, on my own computer, everything is working fine as well.

But, in production, another device or computer cannot properly authenticate from App B to App A. The console says : No 'Access-Control-Allow-Origin' header is present on the requested resource.

In the logs of app A, it seems that the token validation is done, but it stops at : at=info method=POST path="/api/v1/auth/sign_in"

Any idea ?

Thank you so much in advance for any help !!!

ps : when I use a wildcard ('*') for origin in the rack/cors, eveything is working perfectly in production as well.

Cancel
Submit your answer