Get request failed with custom header

Question

Here is my AngularJS code, (it works fine if I remove the header option).

$http.get(env.apiURL()+'/banks', {
    headers: {
        'Authorization': 'Bearer '+localStorageService.get('access_token')
    }
})

Here is the request:

OPTIONS /banks HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36
Access-Control-Request-Headers: accept, authorization
Accept: */*
Referer: http://localhost:8081/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,vi;q=0.6

And response:

HTTP/1.1 404 Not Found
Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: http://localhost:8081
Content-Type: text/plain; charset=utf-8
Date: Mon, 17 Mar 2014 11:05:20 GMT
Content-Length: 19

I added both Accept and Authorization header but the request still fails?
Does the capitalization (I mean authorization vs Authorization) result in that failure? If yes, how can I make AngularJS stop doing that?

if origin := req.Header.Get("Origin"); origin == "http://localhost:8081" {
    rw.Header().Set("Access-Control-Allow-Origin", origin)
    rw.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
    rw.Header().Set("Access-Control-Allow-Headers",
        "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
}

Go server routing code:

r := mux.NewRouter()
r.HandleFunc("/banks", RetrieveAllBank).Methods("GET")

http.ListenAndServe(":8080", r)

Try to share your rounting code in go, because you are receiving a 404 Not Found — nicowernli, Mar 17 '14 at 12:18
OK, I have add the routing code. Do you think I should enable "OPTIONS" in the router? — nvcnvn, Mar 17 '14 at 12:37
Any middleware trying to handle the Authorization header? I tried your code (without AngularJS) and it works ok. Maybe your ORIGIN header is not correct. — nicowernli, Mar 17 '14 at 12:50
Ah OK, the issue is there is no handler for the "OPTIONS" method. Thanks for your time :) — nvcnvn, Mar 17 '14 at 13:14
@nvcnvn If that's the answer to your question, please answer your own question and mark it as answered. Thanks! — nemo, Mar 17 '14 at 14:43

score 8 · Accepted Answer · answered Mar 17 '14 at 15:07

OK, the issue because I fotgot to handle the "OPTIONS" request (to make a CORS browser will send a preflight OPTIONS request first and then the 'real' request if accepted by the server).
I only need to modify my Go server (see the comment):

func main() {
    r := mux.NewRouter()
    r.HandleFunc("/banks", RetrieveAllBank).Methods("GET")
    http.ListenAndServe(":8080", &MyServer{r})
}

type MyServer struct {
    r *mux.Router
}

func (s *IMoneyServer) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
    if origin := req.Header.Get("Origin"); origin == "http://localhost:8081" {
        rw.Header().Set("Access-Control-Allow-Origin", origin)
        rw.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
        rw.Header().Set("Access-Control-Allow-Headers",
            "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
    }
    // Stop here if its Preflighted OPTIONS request
    if req.Method == "OPTIONS" {
        return
    }
    // Lets Gorilla work
    s.r.ServeHTTP(rw, req)
}

Just wanted to say, thanks for posting this answer I added it as an answer on http://stackoverflow.com/questions/12830095/setting-http-headers-in-golang/24818638#24818638 a while back because all others failed except this one and people are more likely to run into that thread via google — Matt Bucci, Dec 08 '14 at 12:19
I solved this in a similar manner in NodeJS, just jumped out of the Auth filter basically. It's hacky, but I think this needs to be done, just by the nature of how OPTIONS works in the browser. — John Paul Barbagallo, Feb 16 '15 at 15:32

Get request failed with custom header

1 Answers1

Linked