requireSession breaks CORS

[andrewresearch]

My CORS configuration works perfectly until I use requireSession. I have tried many different configurations with no success in getting both CORS and Sessions working together. I'm guessing that requireSession overwrites headers that I set for CORS, but I am uncertain of this. Any suggestions?

[adamw]

Do you mean the requiredSession directive? It would be weird if it broke anything, as it basically reads data from the headers. Unless you have refreshable sessions and the session is re-created from a token?

It would be helpful if you could post a code snippet demonstrating the problem.

[andrewresearch]

Yes, sorry. This is how I set it up. Adding requiredSession(oneOff,usingHeaders) effectively nullified my CORS setting. If I get the headers manually myself, CORS works as expected. I'm using akka-http-cors to implement CORS. Note, I tried both refreshable and oneOff, in combination with usingHeaders and usingCookies.

val sessionConfig = SessionConfig.default(SessionUtil.randomServerSecret())
  implicit val sessionManager = new SessionManager[String](sessionConfig)
  implicit val refreshTokenStorage = new InMemoryRefreshTokenStorage[String] {
    def log(msg: String) = System.out.println(msg)
  }

  def sessionSet(session: String) = setSession(oneOff, usingHeaders, session)

  val sessionRequired = requiredSession(oneOff, usingHeaders)

[adamw]

Hm, well in the oneOff case, the only thing that requiredSession does is reading a header value, otherwise the context is unchanged. In your tests, is the session properly decoded during the request? Maybe the session header isn't set and the request is rejected because there's no session?