search

UStAEnts / uems-gateway

The gateway into the uems system used by the front-end.
1 stars 0 forks source link

Cannot serve requests to other microservices #7

Open Vitineth opened 4 years ago

Vitineth commented 4 years ago

Describe the bug When other microservices make requests to the gateway endpoints they fail the CORS preflight checks due to the wrong headers being applied to the response.

To Reproduce docker-compose up the uems-hub project and load the /events endpoint of the frontend. It will show Loading... permenantly and the console will display cors preflight errors.

Expected behavior Events should be loaded successfully from the gateway

Desktop (please complete the following information):

Notes Adding the following to app.ts fixes the problem temporarily but allows it to be requested from all domains (not sure if that is what we want)

app.use(function(req:any, res:any, next:any) {
  res.header("Access-Control-Allow-Origin", "*"); // update to match the domain you will make the request from
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
  next();
});
Lan2u commented 4 years ago

Which app.ts?

Will read further into this to consider the security implications of allowing all domains.

Vitineth commented 4 years ago

Which app.ts?

Will read further into this to consider the security implications of allowing all domains.

src/app.ts of this repo. As long as it's placed above the routes it should work because I got it working in very quick testing

Lan2u commented 4 years ago

What about using this https://www.npmjs.com/package/cors ?

Lan2u commented 4 years ago

It seems we should restrict the allowed origin to the front end origin (e.g. localhost:15300) and the allowed methods to POST, GET, PATCH, DELETE, OPTIONS - will look into doing this with the cors package.

Vitineth commented 4 years ago

It seems we should restrict the allowed origin to the front end origin (e.g. localhost:15300) and the allowed methods to POST, GET, PATCH, DELETE, OPTIONS - will look into doing this with the cors package.

Would be good, we should probably base the origin off a configuration so there are minimal code changes when deploying into production. Cors package looks like a good option to make things clear and easy

Lan2u commented 4 years ago

It seems we should restrict the allowed origin to the front end origin (e.g. localhost:15300) and the allowed methods to POST, GET, PATCH, DELETE, OPTIONS - will look into doing this with the cors package.

Would be good, we should probably base the origin off a configuration so there are minimal code changes when deploying into production. Cors package looks like a good option to make things clear and easy

Potential solution in new gateway PR