search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.corydolphin.com/
MIT License
867 stars 140 forks source link

Next.JS API Call to Flask API POST Endpoint - `Access-Control-Allow-Credentials` is not set properly #321

Open mtdutaro opened 1 year ago

mtdutaro commented 1 year ago

I'm trying to pass in a cookie to a Flask API POST Endpoint

export async function login(username, password, csrfToken, sessionCookie) {
  console.log(sessionCookie);
  const res = await fetch(buildLink("api/login/"), {
    method: "POST",
    credentials: "include",
    headers: {
      "Content-Type": "application/json",
      "X-CSRFToken": csrfToken,
    },
    body: {
      username: username,
      password: password,
      cookie: sessionCookie,
    },
  });
  const user = await res.json();
  console.log(user);
  return user;
}

However, the error I get when making this request in the browser is

Access to fetch at 'http://127.0.0.1:2476/api/login/' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

My set-up using flask-cors is

login_manager = LoginManager()
login_manager.init_app(app)
login_manager.session_protection = "strong"
csrf = CSRFProtect(app)
cors = CORS(
    app,
    resources={
        r"*": {
            "origins": [
                "http://localhost:8080",
                "http://localhost:3000",
                "http://127.0.0.1:3000",
                "http://127.0.0.1:8080",
            ]
        }
    },
    expose_headers=["Content-Type", "X-CSRFToken"],
    supports_credentials=True,
)