I run the exact same code on Android and Web by using Dio for sending requests and what I see is that my backend doesn't get my custom added headers when I send the request from browser, but everything works fine if I do the same from emulator.
CORS is correctly setup on my backend.
Dio dio = Dio();
dio.options.headers[HttpHeaders.authorizationHeader] = "Bearer $token";
final Response response = await dio.get("http://$host:$port/$path", queryParameters: {"searchText": searchQuery, "page": 0, "pageSize": 100});
Additional information
post request works fine, the header is only missing from get requests. Either I use the http or dio packages.
However I can see in my server logs the following line when I log out all the headers of the request:
headerName: access-control-request-headers
header: authorization
Has anyone seen something similar?
As it seems I had to enable cors in spring security separatelly.
httpSecurity.csrf().disable()
.cors().and()
.authorizeRequests()
.antMatchers("/api/admin/**").hasRole("ADMIN")
.antMatchers("/api/support/**").hasRole("SUPPORT")
.antMatchers("/**").permitAll()
.and().exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter::class.java)
Once I did so everything started to work.
So to sum up,
I used my custom headers in other places those were handled by my global CorsFilter but headers related to spring-security like Authorization are handled by spring-security so cors has to be enabled there as well regardles if I added Authorization to my global CorsFilter or not.