API Action does not send credentials or method when using DELETE method

I want to use standard request methods in my app (e.g. DELETE, POST, GET) . I know I can use Server Connect forms, but they only support GET and POST.

API Actions appear to support DELETE, but the Credentials and DELETE method are not being sent so I’m getting a CORS error.

This video shows the same API Action with the method set to POST and then DELETE. In POST everything works correctly, but DELETE is missing the method and secuirty.auth cookies.

Screenshot showing cookies and method missing.

Good day, @patrick. Any updates on this?

Looks like the first part of the issue is in cors section of ./lib/setup/config.js

This is what was in there.

 cors: { // see https://github.com/expressjs/cors
        origin: false,
        methods: 'GET,POST',
        allowedHeaders: '*',
        credentials: true
    },

Once I changed to this I got past the cors preflight errors. For some reason I had to explicitly define the headers.

 cors: { // see https://github.com/expressjs/cors
        origin: false,
        methods: 'GET,POST,DELETE',
        allowedHeaders: 'Content-Type, Authorization, X-Requested-With, Accept, Origin',
        credentials: true
    },

I then setup a server connect route /api/v1/contactgroups/:groupid, but the challange now is easily setting this dynamically in the API Action. I can get it to work by hardcoding the :groupid.

The config.js file just contains all the defaults, not the actual config. You can set the cors configuration using the Server Connect Settings within Wappler.

image

Thanks Patrick. I’ve had those set since starting the app, but I had to make the modifications in config.js to get closer to it working. Still stuck on dynamically setting the route in an API action.

As you mentioed, the DELETE method was not needed in config.js, but adding the AllowedHeaders is needed. Please see this video showing what happens when AllowedHeaders is set to * versus 'Content-Type, Authorization, X-Requested-With, Accept, Origin'.

Also, when using Beta channel the only method sent is GET. Setting POST, PATCH, PUT, or DELETE in the API action does not appropriately change the method. So anyone using Beta channel will not be able to use API actions for anything other than GET actions at the moment.

image

The “*” seems to be indeed an invalid value for the allowed headers when credentials is used. I removed it out of the defaults, default behavior of the CORS middleware is to reflecting the headers specified in the request’s Access-Control-Request-Headers header.

1 Like

Thanks @patrick! Should I open a separate bug for this or you got it in the fix?

Fixed in Wappler 6.0.2

This topic was automatically closed after 27 hours. New replies are no longer allowed.