search

FIRST-Tech-Challenge / scorekeeper

FIRST Tech Challenge Live Scorekeeper Software
87 stars 21 forks source link

Missing CORS headers on API endpoints #670

Closed timtim17 closed 10 months ago

timtim17 commented 10 months ago

Describe the bug My understanding per #231 is that API endpoints should respond with CORS headers to Access-Control-Allow-Origin: *.

At my event today, I tried making some API requests and ran into CORS issues. I don't see headers related to CORS in the response.

To Reproduce Steps to reproduce the behavior:

  1. Go to an API route such as http://$IP/api/v1/events/ or http://$IP/api/v1/version/
  2. Observe headers do not include CORS headers

Expected behavior A clear and concise description of what you expected to happen.

Response should include CORS headers

Screenshots

Screenshot 
 aus@vice   ❯  curl -v http://10.226.0.164/api/v1/events/
*   Trying 10.226.0.164:80...
* Connected to 10.226.0.164 (10.226.0.164) port 80 (#0)
> GET /api/v1/events/ HTTP/1.1
> Host: 10.226.0.164
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 02 Dec 2023 17:26:47 GMT
< Content-Type: application/json
< Content-Language: en
< Content-Length: 38
<
* Connection #0 to host 10.226.0.164 left intact
{"eventCodes":["uswabam1","uswabam2"]}%

Device (please complete the following information):

Additional context Add any other context about the problem here.

FTC Live version v5.1.5

maths22 commented 10 months ago

The server only returns CORS headers in requests that include an Origin header. See e.g.

$ curl -H 'Origin: https://example.com' -v http://localhost/api/v1/events/
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /api/v1/events/ HTTP/1.1
> Host: localhost
> User-Agent: curl/8.1.2
> Accept: */*
> Origin: https://example.com
> 
< HTTP/1.1 200 OK
< Date: Wed, 06 Dec 2023 20:21:31 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Vary: Origin
< Content-Language: en
< Content-Length: 151
< 
* Connection #0 to host localhost left intact
{"eventCodes":["test"]}

If you are having CORS issues from a site/application, we will need more information on the specific request being sent and the error being thrown.