search

apex / up

Deploy infinitely scalable serverless apps, apis, and sites in seconds to AWS.
https://up.docs.apex.sh
MIT License
8.78k stars 373 forks source link

cors headers not set when access-control-request-headers is set #660

Closed kevinsimper closed 1 year ago

kevinsimper commented 6 years ago

Prerequisites

Description

When the access-control-request-headers header is set the CORS headers are not returned and therefore CORS breaks in javascript. The first example is my localhost, the second is without the headers that they browsers send, and the third is to simulate the browsers header.

$ http OPTIONS :3001/graphql access-control-request-headers:'authorization,content-type' access-control-request-method:'POST'
HTTP/1.1 204 No Content
Access-Control-Allow-Headers: authorization,content-type
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 0
Date: Mon, 14 May 2018 21:08:51 GMT
Vary: Access-Control-Request-Headers
X-Powered-By: Express

😸🐳 ~/Projects/hackyourfuture.dk/backend []
$ http OPTIONS https://tdla96bnzi.execute-api.eu-central-1.amazonaws.com/production/graphql
HTTP/1.1 204 No Content
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf8
Date: Mon, 14 May 2018 21:09:01 GMT
Vary: Access-Control-Request-Headers
Via: 1.1 8021f954d329869476f935f2fb14e66e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FnBeQsgK3XQnphHHLf8yg9e5u8_4JrW4UfcZEaPqvS0tqe8V48yjHA==
X-Amzn-Trace-Id: Root=1-5af9faec-0cc41d6041fed78a87af1d40
X-Cache: Miss from cloudfront
X-Powered-By: Express
x-amz-apigw-id: G5Qk5HKzliAFulw=
x-amzn-Remapped-Content-Length: 0
x-amzn-Remapped-Date: Mon, 14 May 2018 21:09:01 GMT
x-amzn-RequestId: 05b5c745-57bb-11e8-9814-3dd6fbbd2744

😸🐳 ~/Projects/hackyourfuture.dk/backend []
$ http OPTIONS https://tdla96bnzi.execute-api.eu-central-1.amazonaws.com/production/graphql access-control-request-headers:'authorization,content-type' access-control-request-method:'POST'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf8
Date: Mon, 14 May 2018 21:09:16 GMT
Vary: Access-Control-Request-Headers
Via: 1.1 8bdae94273544c8186e20a3c31375f99.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 7O4kJVY-EdvFvfoVpjCraHsShbfaPcVc6e6lIN0FhhVLslQiOWeLgQ==
X-Amzn-Trace-Id: Root=1-5af9fafc-3b67a2a43dcfdfc6fb60ef46
X-Cache: Miss from cloudfront
x-amz-apigw-id: G5QnbE3JliAFaww=
x-amzn-RequestId: 0f5ddb2a-57bb-11e8-b515-dde370b38be0
curl 'https://tdla96bnzi.execute-api.eu-central-1.amazonaws.com/production/graphql' -X OPTIONS -H 'pragma: no-cache' -H 'access-control-request-headers: authorization,content-type' -H 'access-control-request-method: POST' -H 'origin: https://hackyourfuture.dk' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36' -H 'accept: */*' -H 'cache-control: no-cache' -H 'authority: tdla96bnzi.execute-api.eu-central-1.amazonaws.com' -H 'referer: https://hackyourfuture.dk/dashboard/' --compressed
kevinsimper commented 6 years ago

I read #649 but my express server does not send a Content-Type for the options request.

I enabled cors: { debug: true, enable: true } and here is the logs:

  May 15th 10:22:23am INFO production ee777f8 starting app: PORT=37105 command=node app.js
  May 15th 10:22:23am INFO production ee777f8 started app: pid=16
  May 15th 10:22:23am INFO production ee777f8 waiting for app to listen on PORT
  May 15th 10:22:24am INFO production ee777f8 Listening on 37105
  May 15th 10:22:25am INFO production ee777f8 app listening: duration=2.119s
  May 15th 10:22:25am INFO production ee777f8 initialized: duration=2.139s
  May 15th 10:22:25am INFO production ee777f8 request: id=17c01163-5819-11e8-8b68-81a75de3b259 ip=83.93.187.177 method=OPTIONS path=/graphql
  May 15th 10:22:25am INFO production ee777f8 response: duration=39ms id=17c01163-5819-11e8-8b68-81a75de3b259 ip=83.93.187.177 method=OPTIONS path=/graphql size=0 B status=200
  May 15th 10:22:25am INFO 2018-05-15T08:22:25.679Z 17c0ad4a-5819-11e8-a6ac-55a9af9527f7    [shim] unexpected non-json line: `[cors] 2018/05/15 08:22:25 Handler: Preflight request`
  May 15th 10:22:25am INFO 2018-05-15T08:22:25.680Z 17c0ad4a-5819-11e8-a6ac-55a9af9527f7    [shim] unexpected non-json line: `[cors] 2018/05/15 08:22:25   Preflight aborted: empty origin`
  May 15th 10:22:25am INFO REPORT RequestId: 17c0ad4a-5819-11e8-a6ac-55a9af9527f7   Duration: 2330.19 ms    Billed Duration: 2400 ms    Memory Size: 512 MB Max Memory Used: 61 MB
  May 15th 10:24:36am INFO production ee777f8 request: id=67419cea-5819-11e8-8e96-9f5dbc1b57e7 ip=83.93.187.177 method=OPTIONS path=/login
  May 15th 10:24:36am INFO production ee777f8 response: duration=0s id=67419cea-5819-11e8-8e96-9f5dbc1b57e7 ip=83.93.187.177 method=OPTIONS path=/login size=0 B status=200
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.500Z 6743e75c-5819-11e8-8bfb-1d4902f23e99    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36 Handler: Preflight request`
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.500Z 6743e75c-5819-11e8-8bfb-1d4902f23e99    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36   Preflight response headers: map[Vary:[Accept-Encoding Origin Access-Control-Request-Method Access-Control-Request-Headers] Access-Control-Allow-Origin:[*] Access-Control-Allow-Methods:[POST] Access-Control-Allow-Headers:[Content-Type]]`
  May 15th 10:24:36am INFO REPORT RequestId: 6743e75c-5819-11e8-8bfb-1d4902f23e99   Duration: 18.26 ms  Billed Duration: 100 ms     Memory Size: 512 MB Max Memory Used: 61 MB
  May 15th 10:24:36am INFO production ee777f8 request: id=675bdb66-5819-11e8-bdf4-6984ec10250f ip=83.93.187.177 method=POST path=/login size=291 B
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.640Z 675c9edb-5819-11e8-b5f9-bd980eec6d1d    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36 Handler: Actual request`
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.640Z 675c9edb-5819-11e8-b5f9-bd980eec6d1d    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36   Actual response added headers: map[Vary:[Accept-Encoding Origin] Access-Control-Allow-Origin:[*]]`
  May 15th 10:24:37am INFO production ee777f8 response: duration=852ms id=675bdb66-5819-11e8-bdf4-6984ec10250f ip=83.93.187.177 method=POST path=/login size=489 B status=200
  May 15th 10:24:37am INFO REPORT RequestId: 675c9edb-5819-11e8-b5f9-bd980eec6d1d   Duration: 853.84 ms Billed Duration: 900 ms     Memory Size: 512 MB Max Memory Used: 63 MB
  May 15th 10:24:38am INFO production ee777f8 request: id=685f8fe6-5819-11e8-bda9-03101e565b5e ip=83.93.187.177 method=OPTIONS path=/graphql
  May 15th 10:24:38am INFO production ee777f8 response: duration=0s id=685f8fe6-5819-11e8-bda9-03101e565b5e ip=83.93.187.177 method=OPTIONS path=/graphql size=0 B status=200
  May 15th 10:24:38am INFO 2018-05-15T08:24:38.339Z 685fddfd-5819-11e8-885b-e9c995cc9bde    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:38 Handler: Preflight request`
  May 15th 10:24:38am INFO 2018-05-15T08:24:38.339Z 685fddfd-5819-11e8-885b-e9c995cc9bde    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:38   Preflight aborted: headers '[Authorization Content-Type]' not allowed`
  May 15th 10:24:38am INFO REPORT RequestId: 685fddfd-5819-11e8-885b-e9c995cc9bde   Duration: 1.45 ms   Billed Duration: 100 ms     Memory Size: 512 MB Max Memory Used: 63 MB
  May 15th 10:24:45am INFO production ee777f8 request: id=6cacf0ed-5819-11e8-b2e0-c9e5dc9b6bbd ip=83.93.187.177 method=OPTIONS path=/graphql
  May 15th 10:24:45am INFO production ee777f8 response: duration=0s id=6cacf0ed-5819-11e8-b2e0-c9e5dc9b6bbd ip=83.93.187.177 method=OPTIONS path=/graphql size=0 B status=200
  May 15th 10:24:45am INFO 2018-05-15T08:24:45.555Z 6cad3f86-5819-11e8-9229-67363aa6ed38    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:45 Handler: Preflight request`
  May 15th 10:24:45am INFO 2018-05-15T08:24:45.556Z 6cad3f86-5819-11e8-9229-67363aa6ed38    [shim] unexpected non-json line: `[cors] 2018/05/15 08:24:45   Preflight aborted: headers '[Authorization Content-Type]' not allowed`
  May 15th 10:24:45am INFO REPORT RequestId: 6cad3f86-5819-11e8-9229-67363aa6ed38   Duration: 1.69 ms   Billed Duration: 100 ms     Memory Size: 512 MB Max Memory Used: 63 MB

Also the examples in the git repo does not cover CORS with POST and authorization header and the graphql example

https://github.com/apex/up-examples/tree/master/oss

kevinsimper commented 6 years ago

Found something that wasn't in the documentation, but was available in the code,

It is not used in any of the examples https://github.com/apex/up-examples/search?utf8=%E2%9C%93&q=allowed_headers&type=

But I will add one 😄

I would also suggest that allowed_headers starts with a default with Content-Type as the browser adds it by default, as seen in the curl example above.

tj commented 6 years ago

I'll fix the docs, I just noticed the defaults for allowed_headers is incorrect on the site, it's "Origin", "Accept", "Content-Type", "X-Requested-With" by default — and I'll add CORS to the graphql example

tj commented 6 years ago

Fixed the docs to show those defaults and added https://github.com/apex/up-examples/commit/b3339a64ee6d8e0fe805290593865a8a5c80c782

kevinsimper commented 6 years ago

That is awesome, thank you! 👍