Slack files: XMLHttpRequest can not load response for preflight is invalid (redirect)

The reason he is giving you this problem is because the preflights have to be authorized by the server using CORS 1 2 3 , this is a security mechanism that works automatically in browsers but Postman is not a browser so the preflight is never performed and headers Origin , Access-Control-Request-Headers and Access-Control-Request-Method are not added automatically and the security mechanisms of the server are not activated.

Putting the Content-Type in text/plain will not help since putting a header of Authorization is no longer a "simple request". Any request that can potentially modify data no longer qualifies as a "simple request". This is the definition:

It must be done with a "simple method" which is a request made with one of the following verbs http:

It should be done with only "simple headers" which are some of the following headers :

In your case you are using a header Authorization so the cors will be activated even if you change the Content-Type. This is a mechanism that can not be avoided as it is a crucial part of web security to avoid attacks such as the CSRF .

Angular uses json by default for its Content-Type and I think Slack does not support it

Sending json to slack in to http post request

So you should do this in a config block

$httpProvider.defaults.headers.common['Content-Type'] = 'application/x-www-form-urlencoded;charset=utf8';

Or in a run block

$http.defaults.headers.common['Content-Type'] = 'application/x-www-form-urlencoded;charset=utf8';

One solution may be to send the authorization token in the query using GET. This solution I have never liked since using GET to transmit sensitive information is not a good idea. Read for more information

Is an https query string secure

link .

This would also require that Slack support this type of authentication which I think is possible using a token parameter in the query link

This would be a way of doing it

$http(
    method: 'GET',
    url: url_private_download + '?token=' + token,
    headers: {
        // Este header no es necesario si ya lo definiste usando headers.commons
        'Content-Type': 'application/x-www-form-urlencoded;charset=utf8'
    }
});

The other solution is to obtain permission using the whole server flow but as I understand it, Slack supports cors so check that you are using link and not link to make your requests , this answer may be related:

Post request firebase response for preflight is invalid redirect cors

In a nutshell and answering your question:

  

How do I add the Authorization avoiding the preflight?

As you have it is fine, what happens is that as comments @devconcept browsers do something called preflights before the actual request. You must leave it as is and handle the OPTIONS requests on the backend side to let them pass in case you have a filter or other obstacle that prevents the passage of this type of requests. Also keep in mind the issue of CORS which is nothing more than the security that is implemented for AJAX requests for cross-referencing resources or beyond the scope of the current project, ie outside of the limits of the project.

On the other hand, I recommend using $ resource instead of $ http. You can find information that compares these objects in this page .

I think devconcept explaining it very well in your answer. I was messing with CORS and Slack and I've decided to rewrite my answer with what I've found out by contributing something else.

The request you are trying to make to download a file requires authentication, this was a change that was introduced in January 2016 and announced with this article in English

Therefore, the file download request must include the authentication header.

$http(
  method: 'GET',
  url: url_private_download,
  headers: {
    Authorization: 'Bearer ' + token,
    'Content-Type': 'application/x-www-form-urlencoded;charset=utf8'
  }
}); 

And, as devconcept has explained, this request activates the preflight mode by sending a first request OPTIONS that does not include the Authorization header. When Slack receives that request it responds with an 'HTTP 301' with the redirection to the login page because that request requires authentication, that is, Slack is not ready for this request.

From the client a file download request could be made without including the Authorization header but having previously authenticated in Slack with username and password, because the authentication would be done through the cookie.

The code would be this: (although it does not make much sense to do this from client)

$http(
  method: 'GET',
  url: url_private_download,
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded;charset=utf8'
  }
}); 

Definitely, and as you said in a comment that it was a bot, I think you are doing something on the client that you should be doing on the server and perhaps you are exposing sensitive information that could be used against you by a malicious user.

Many times we do not repair the security issues but they are very important, to me this talk that Chema Alonso gave at DotNetSpain 2016 made me even more aware of it.

I hope I have contributed something with my response, regards.

Update 3/28/2016: Clarify the part of the redirection to the Slack login page, motivated by the comment of devconcept