Preflight checks with CORS

[germanp]

Hi!

I found that the web browser (and probably any client that support cors) when it makes a request (either GET, PUT or POST) to another domain it first attempts to do an OPTION request in order to verify the cors headers. This way it checks the domains allowed and haeders. But this OPTIONS request is always sent without the authorization header. That means, with the default falcon-cors configuration, that the cors are going to fail with a 401 code (authorization header not found), and it is weird because you actually do the request with the headers in.

You can easily fix that by exepting the authentication for OPTIONS method:

auth_middleware = FalconAuthMiddleware(auth_backend, exempt_methods=['HEAD', 'OPTIONS'])

But I think will be better to add some aclaration in the docs or even change the default behaiviour to avoid this issue. What do you think?

[jcwilson]

The default behavior does avoid that issue. See the docs for the exempt_methods argument here where it specifies that ['OPTIONS'] is indeed the default.

Perhaps you were overriding it in your application by just providing 'HEAD'?

[germanp]

Yes, you are right. I copied the example from https://github.com/loanzen/falcon-auth#usage

[jcwilson]

Ah, that's unfortunate that the example code removes the 'OPTIONS' item like that. Would you like to create a PR to update those docs? I haven't had any time to dedicate to this project lately, but I feel like we could at least land that one :)