Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add preflight OPTIONS handling and update CORS config #4086

Merged
merged 3 commits into from May 8, 2024
Merged

Add preflight OPTIONS handling and update CORS config #4086

merged 3 commits into from May 8, 2024

Conversation

BruceMacD
Copy link
Contributor

@BruceMacD BruceMacD commented May 1, 2024
edited

Couple of tweaks to our CORS configuration and how we handle OPTIONS requests. This update is geared towards making our service more compatible with clients originally designed to work with OpenAI, where sending an Authorization header is common.

Details of Changes

  1. Handling OPTIONS Requests: I added a quick return for OPTIONS requests in our allowedHostsMiddleware. This means we're now ending these preflight requests with a 204 (No Content) status right off the bat.

  2. Updating CORS for Authorization Headers: Since some of the Ollama clients automatically send an Authorization header (because they're set up for OpenAI), I've updated our CORS config to accept these headers. This is needed for making sure these clients can interact with our service without hitting CORS.

Security

Since we're not currently using the Authorization header for our own authentication, allowing this header doesn't open us up to new security risks as long as we don't have auth.

Enabling the OPTIONS method is mainly about letting browsers do their preflight check when they see that Authorization header. It's pretty standard and doesn't pose a direct risk by itself as far as I am aware.

resolves #4001
resolves #3983
resolves ollama/ollama-js#80

@dhiltgen
Copy link
Collaborator

dhiltgen commented May 4, 2024

We'll want to sequence this with #4154 if we decide to proceed with that one.

@BruceMacD
Add preflight OPTIONS handling and update CORS config
6d3a307 
- Implement early return with HTTP 204 (No Content) for OPTIONS requests in allowedHostsMiddleware to optimize preflight handling.

- Extend CORS configuration to explicitly allow 'Authorization' headers and 'OPTIONS' method when OLLAMA_ORIGINS environment variable is set.
@BruceMacD
allow auth, content-type, and user-agent headers
0e38ea4
This was referenced May 7, 2024
Closed
Closed
@BruceMacD BruceMacD merged commit cef45fe into main May 8, 2024
12 checks passed
@BruceMacD BruceMacD deleted the brucemacd/auth-cors branch May 8, 2024 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmorganca jmorganca jmorganca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@BruceMacD @dhiltgen @jmorganca