Enabling CORS for Cowboy REST API
Cowboy documentation says you need to set header by using set_resp_headers, not return a list of headers:
%% If you need to add additional headers to the response at this point,
%% you should do it directly in the options/2 call using set_resp_headers.
So your code should look like:
options(Req, State) ->
Req1 = cowboy_req:set_resp_header(<<"access-control-allow-methods">>, <<"GET, OPTIONS">>, Req),
Req2 = cowboy_req:set_resp_header(<<"access-control-allow-origin">>, <<"*">>, Req1),
{ok, Req2, State}.
You can test with
curl -H "Origin: http://example.com" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: X-Requested-With" \
-X OPTIONS --verbose \
http://localhost:8080
* About to connect() to localhost port 8080 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8080 (#0)
> OPTIONS / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: localhost:8080
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 200 OK
< connection: keep-alive
< server: Cowboy
< date: Mon, 25 Mar 2013 15:59:11 GMT
< content-length: 0
< access-control-allow-methods: GET, OPTIONS
< access-control-allow-origin: *
<
* Connection #0 to host localhost left intact
* Closing connection #0
My REST allows acceess to resources only and only if token is provided. So I had to implement is_authorized/2
callback which is different for OPTIONS and GET requests. See below:
1) Implement options/2
as follows
options(Req0, State) ->
% cors
Req1 = cowboy_req:set_resp_header(
<<"access-control-allow-methods">>, <<"GET, OPTIONS">>, Req0),
Req2 = cowboy_req:set_resp_header(
<<"access-control-allow-origin">>, <<"*">>, Req1),
Req3 = cowboy_req:set_resp_header(
<<"access-control-allow-headers">>, <<"authorization">>, Req2),
{ok, Req3, State}.
2) Implement is_authorized/2
as follows
is_authorized(Req, State) ->
case cowboy_req:method(Req) of
<<"GET">> ->
case cowboy_req:parse_header(<<"authorization">>, Req) of
{bearer, <<Token/binary>>} ->
{true, Req, Token};
_ ->
{{false, <<"Basic realm=\"cowboy\"">>}, Req, State}
end;
<<"OPTIONS">> ->
{true, Req, State}
end.
3) to_json/2
method sending access-control-allow-origin
to_json(Req0, State) ->
R = #{ foo => [<<"bar">>] },
% cors
Req1 = cowboy_req:set_resp_header(
<<"access-control-allow-origin">>, <<"*">>, Req0),
Body = jsx:encode(R),
{Body, Req1, State}.