CORS token authentification with devise token auth.
Not solved Solved
3 months ago

Hi all !

You like backend and security issues ? This one is for you ;)

Let's say we have app A and app B. App A is my backend, serving data on request to app B (my customer interface) via API. App B user is authenticated to app A with devise token auth.

For security reason, App A must accepts requests only from authorized origins. The setup is done using rack/cors gem. Therefore, in config.rb of AppA, I have :

config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins "#{ENV['authorized_api_call_origin']}"
    resource '*',
      :headers => :any,
      :expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
      :methods => [:get, :post, :options, :delete, :put]

In localhost eveything is working fine. In production, on my own computer, everything is working fine as well.

But, in production, another device or computer cannot properly authenticate from App B to App A. The console says : No 'Access-Control-Allow-Origin' header is present on the requested resource.

In the logs of app A, it seems that the token validation is done, but it stops at : at=info method=POST path="/api/v1/auth/sign_in"

Any idea ?

Thank you so much in advance for any help !!!

ps : when I use a wildcard ('*') for origin in the rack/cors, eveything is working perfectly in production as well.

Submit your answer