7

I have implemented auth in my django app using django-rest-auth. My settings in settings.py:

ALLOWED_HOSTS = []

# Application definition

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    'rest_framework.authtoken',
    'rest_auth',
    'django.contrib.sites',
    'allauth',
    'allauth.account',
    'rest_auth.registration',
    'corsheaders',
    'rest_framework_docs',
    'tasks'
]

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'urls'
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
ALLOWED_HOSTS = ['*']

SITE_ID = 1

I am logged in from my frontend- I receieved a token with I have stored in my local storage. Now I making a simple GET request like following:

  getTasks(): Observable<Task[]> {

    let headers = new Headers({ 'Access-Control-Allow-Origin': '*' });
    let options = new RequestOptions({ headers: headers, withCredentials: true  });

    return this.http.get(this.taskUrl, options)
    .map(this.extractData)
    .catch(this.handleError);
  }

But it gives me : Request header field Access-Control-Allow-Origin is not allowed by Access-Control-Allow-Headers in preflight response. although I am including withCredentials.

What am I doing wrong?

P.S: If I remove options from POST then there is no error but I get incorrect data because my backend returns data for a specific user.

Improve this question

1 Answer 1

Reset to default
8

Remove this line,

let headers = new Headers({ 'Access-Control-Allow-Origin': '*' });

from your getTasks() function. You don't need to specify those options to the server. django-cors-headers takes care of that.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

It did work, but why exactly? I always used to add headers and credentials before!
Django rejects any requests with the Access-Control-Allow-Origin option in the header. You don't need to explicitly provide it.
The client sends a Access-Control-Request-Headers to request allowing certain headers, the server responds back with with a Access-Control-Allow-Headers that lists the actual headers its going to allow. The client does not get to demand what headers are allowed.
Okay I understand now :) Thanks for explaining!
Would you please do me a favour and tag the answer as selected, then?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.