I have implemented my own Rate Limit in SS.
However, as the service itself is called from a SPA with CORS enabled, the actual Http Error 429 is not passed through to the SPA, instead I get the CORS error
Access to fetch at 'https://(webapi)/json/reply/XXXX' from origin '(website)' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.
Is there a way to avoid this? So that instead of the CORS policy error, I can provide the 429?
If I use the API call directly I do get the 429 as expected.
POST /json/reply/BotProcessAnonymousMessage HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept-Encoding: gzip, deflate, br
HTTP/1.1 429 Too many Requests. Back-off and try again later.
Date: Sat, 21 Mar 2020 11:17:44 GMT
In my console
Access to fetch at 'http://localhost:5000/json/reply/BotProcessAnonymousMessage' from origin 'http://localhost:3000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.
index.js?7626:829 POST http://localhost:5000/json/reply/BotProcessAnonymousMessage net::ERR_FAILED
And the try catch in my vue app gives this as ‘error’
TypeError: Failed to fetch
So basically the ServiceStack call is fine, gives me the 429.
However, the browser, (and the ServiceStack JsonClient), seems to “see” the CORS issue as the root cause.