Do I need to specify AllowCredentials = true for CORS basic http authorization?

A

Artem2017-05-13 15:47:39

Yii

Artem, 2017-05-13 15:47:39

Hello. The question arose: I can’t authorize a user on a third-party API domain in any way.
As a server using yii2, here is the cors filter configuration:

public function behaviors()
    {
        $behaviors = parent::behaviors();
        $behaviors['corsFilter'] = [
            'class' => \yii\filters\Cors::className(),
            'cors' => [
                'Origin' => ['*'],
                'Access-Control-Request-Headers' => ['X-Authentication', 'Authorization'],
                'Access-Control-Request-Methods' => ['OPTIONS', 'GET', 'PUT', 'PATCH', 'DELETE', 'POST']
                //'Access-Control-Allow-Credentials' => true,
                ]
        ];
        $behaviors['authenticator'] = [
            'class' => HttpBasicAuth::className(),
            'auth' => [$this, 'auth'],
            'except' => ['options']
        ];
        return $behaviors;
    }

Customer:

function sendToken() {
    var username = $("input#login").val();
    var password = $("input#password").val();
    var token = "Basic " + btoa(username + ":" + password);
    console.log(token);

    $.ajax({
        url: 'http://admin.tech.local/api/voyages',
        type: 'GET',
        crossDomain: true,
        success: function (){
            alert('Thanks for your comment!');
        },
        beforeSend: function (xhr) {
            xhr.setRequestHeader('Authorization', token);
        }
    })
}

I read that you need to specify AllowCredentials, but this header tells the browser to pass cookies, while there are no sessions in my API.
Where did I take a wrong turn?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Maxim Timofeev, 2017-05-13
@webinar

And how do cookies depend on the fact that you do not have a session?