How to enable support for CORS with custom headers like authentication in Rails
I was building a client side application for my API that I built using Rails/Grape. So in order to access the resources using the API from the client application the first thing that I need to do was to enable CORS support in the API.
Enabling CORS using rack-cors gem
I did everything as was said in README, that is updated Gemfile accordingly and updated application.rb like this:
module YourApp class Application < Rails::Application # ... config.middleware.use Rack::Cors do allow do origins '*' resource '*', :headers => :any, :methods => [:get, :post, :options] end end end end
It was pretty much straight forward, and now I have the CORS support enabled. My client side app should be able to access the API easily.
Problem: Custom Headers like Authorization.
Now that I had the CORS setup, I tried to authenticate the user using JWT, and the authorization header. I was stumped to see that the server is not returning the authorization headers.
After some dabbling with the code, I figured out that the authorization headers were not accessible only from another domain - Something wrong with the CORS setup.
Reason: Custom headers were not exposed by default with the rack-cors gem.
By default, the rack-cors gem only exposes certain values like
So the authorization header that I was setting wasn't being exposed over to the cross-origin requests.
Expose custom headers.
To expose any custom headers, we need to explicitly specify the keys in our configuration.
config.middleware.use Rack::Cors do allow do origins '*' resource '*', :headers => :any, :expose => ['access-token', 'expiry', 'token-type', 'Authorization'], :methods => [:get, :post, :options, :delete, :put] end end
So adding the
expose key to the rack-cors configuration now exposes any custom headers like Authorization header