Enabling CORS for Cowboy REST API

Cowboy documentation says you need to set header by using set_resp_headers, not return a list of headers:

 %% If you need to add additional headers to the response at this point,
 %% you should do it directly in the options/2 call using set_resp_headers.

So your code should look like:

options(Req, State) ->
    Req1 = cowboy_req:set_resp_header(<<"access-control-allow-methods">>, <<"GET, OPTIONS">>, Req),
    Req2 = cowboy_req:set_resp_header(<<"access-control-allow-origin">>, <<"*">>, Req1),
    {ok, Req2, State}.

You can test with

curl -H "Origin: http://example.com" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
http://localhost:8080
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8080 (#0)
> OPTIONS / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r     zlib/1.2.5
> Host: localhost:8080
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 200 OK
< connection: keep-alive
< server: Cowboy
< date: Mon, 25 Mar 2013 15:59:11 GMT
< content-length: 0
< access-control-allow-methods: GET, OPTIONS
< access-control-allow-origin: *
<
* Connection #0 to host localhost left intact
* Closing connection #0

My REST allows acceess to resources only and only if token is provided. So I had to implement is_authorized/2 callback which is different for OPTIONS and GET requests. See below:

1) Implement options/2 as follows

options(Req0, State) ->
  % cors
  Req1 = cowboy_req:set_resp_header(
    <<"access-control-allow-methods">>, <<"GET, OPTIONS">>, Req0),
  Req2 = cowboy_req:set_resp_header(
    <<"access-control-allow-origin">>, <<"*">>, Req1),
  Req3 = cowboy_req:set_resp_header(
    <<"access-control-allow-headers">>, <<"authorization">>, Req2),
  {ok, Req3, State}.

2) Implement is_authorized/2 as follows

is_authorized(Req, State) -> 
  case cowboy_req:method(Req) of
    <<"GET">> ->
      case cowboy_req:parse_header(<<"authorization">>, Req) of
        {bearer, <<Token/binary>>} ->
          {true, Req, Token};
        _ ->
          {{false, <<"Basic realm=\"cowboy\"">>}, Req, State}
      end;
    <<"OPTIONS">> ->
      {true, Req, State}
  end.

3) to_json/2 method sending access-control-allow-origin

to_json(Req0, State) ->
  R = #{ foo => [<<"bar">>] },
  % cors
  Req1 = cowboy_req:set_resp_header(
      <<"access-control-allow-origin">>, <<"*">>, Req0),
  Body = jsx:encode(R),
  {Body, Req1, State}.

Tags:

Rest

Erlang

Cors

Cowboy

Related

setEnabled() vs setClickable(), what is the difference? Get div height with plain JavaScript How do I create a ReactiveCocoa subscriber that receives a signal only once, then unsubscribes/releases itself? If statement in select (ORACLE) Object Library Not Registered When Adding Windows Common Controls 6.0 Parallel top ten algorithm for distributed data In SQL Server 2008 R2 error occurred while start debugging, Error HRESULT E_FAIL has been returned from a call to a COM component. (mscorlib) Spring’s embedded H2 datasource and DB_CLOSE_ON_EXIT How to push a new folder (containing other folders and files) to an existing git repo? How does C# async/await relates to more general constructs, e.g. F# workflows or monads? How to pass a user defined argument in scrapy spider Customize UITableView header section

Recent Posts