Preflight (OPTIONS) requests to files published with the Files API return 405

[deardooley]

Problem summary

After publishing a flat file with the Files API, preflight (OPTIONS) requests fail with a 405 saying Method Not Allowed even though a GET requests succeed as expected.

What platform services are impacted?

Files, PostIts

Which tenant were you using?

Community - https://api.agaveplatform.org

What version of the platform are you using?

2.4

How to recreate the issue

Use the Files API to grant the public user READ pemissions:

#!/bin/bash  

AGAVE_USERNAME=$(profiles-list -v me | jq -r '.username')
TEST_FILENAME="${AGAVE_USERNAME}-test-file-$(date +%s).txt"

echo "This is a test" > /tmp/$TEST_FILENAME
files-upload -F /tmp/$TEST_FILENAME -S data.agaveplatform.org $AGAVE_USERNAME
files-pems-update -u public -p READ -S data.agaveplatform.org $AGAVE_USERNAME/$TEST_FILENAME

Expected behavior

An OPTION request should return a 200 response with the proper CORS headers to allow OPTIONS, HEAD, an GET requests in modern browsers.

curl -X OPTIONS -vvv -sk -o /dev/null https://api.agaveplatform.org/files/v2/download/$AGAVE_USERNAME/system/data.agaveplatform.org/$AGAVE_USERNAME/$TEST_FILENAME

Should produce the following response:

HTTP/1.1 405 Method Not Allowed  
Date: Wed, 23 Aug 2017 17:31:21 GMT  
Server: Restlet-Framework/2.3.4  
Accept-Ranges: bytes  
Allow: GET, OPTIONS, HEAD   
Content-Type: application/json;charset=UTF-8  
Content-Length: 159  
Access-Control-Allow-Origin: *  
Access-Control-Allow-Credentials: true  
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Range  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  

Actual behavior

An OPTIONS request for the file we publishe above returns the following invalid 405 response:

curl -X OPTIONS -vvv -sk -o /dev/null https://api.agaveplatform.org/files/v2/download/$AGAVE_USERNAME/system/data.agaveplatform.org/$AGAVE_USERNAME/$TEST_FILENAME

The response will come back with a "405 Method Not Allowed"

HTTP/1.1 200 Success
Date: Wed, 23 Aug 2017 17:31:21 GMT  
Server: Restlet-Framework/2.3.4  
Accept-Ranges: bytes  
Allow: GET
Content-Type: application/json;charset=UTF-8  
Content-Length: 159  
Access-Control-Allow-Origin: *  
Access-Control-Allow-Credentials: true  
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS  
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Range  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  

An attempt to make a GET request for the published file returns the following

curl -X OPTIONS -vvv -sk -o /dev/null https://api.agaveplatform.org/files/v2/download/$AGAVE_USERNAME/system/data.agaveplatform.org/$AGAVE_USERNAME/$TEST_FILENAME

The response will come back with a "200 Success".

HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 17:41:02 GMT
Server: Restlet-Framework/2.3.4
Last-Modified: Sat, 27 May 2017 04:36:42 GMT
Content-Disposition: inline; modification-date="Sat, 27 May 17 04:36:42 GMT"; filename=dooley-test-file-1503514980.txt
Accept-Ranges: bytes
Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
Content-Type: application/octet-stream;charset=UTF-8
Content-Length: 7771576
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Range, Range