search

gin-contrib / cors

Official CORS gin's middleware
https://gin-gonic.github.io/gin/
MIT License
1.76k stars 182 forks source link

Cors error #136

Open juancer opened 7 months ago

juancer commented 7 months ago

Hello,

I'm having problems with CORS on my backend with the PUT request. This is my conf:

r := gin.Default()
    config := cors.DefaultConfig()
    config.AllowOrigins = []string{"https://domain1.es", "https://www.domain1.es", "https://domain2.es", "https://www.domain2.es", "http://ip", "https://ip"}
    config.AllowCredentials = true
    config.AllowMethods = []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}
    config.AllowHeaders = []string{"Origin", "Content-Length", "Content-Type", "Authorization", "user-agent", "X-Requested-With", "Token"}
    config.MaxAge = 12 * time.Hour
    config.AllowOriginFunc = func(origin string) bool {
        return origin == "https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip"
    }
    r.Use(cors.New(config))

I'm also trying to manage my option request and checking the headers to print them on my console:

r.OPTIONS("/service", func(c *gin.Context) {
        c.Header("Access-Control-Allow-Origin", "https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip")
        c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
        c.Header("Access-Control-Allow-Headers", "Authorization, Content-Type, Origin, Content-Length, user-agent, X-Requested-With, Token")
        c.Header("AllowCredentials", "true")
        fmt.Println("Headers from the request:")

        origin := c.Request.Header.Get("Origin")
        if !isValidOrigin(origin, config.AllowOrigins) {
            c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid CORS origin"})
            return
        }
        c.JSON(http.StatusNoContent, nil)
    })

However, when I try to call with the put, I'm getting 403 error on my browser and this message: "CORS missing allow origin" with the PUT request, and, in my console, I only get: [GIN] 2024/02/05 - 14:23:17 | 204 | 63.98µs | ip | OPTIONS "/service" (this is the reason because I'm adding the ip in the allow origins)

I have: GET /service PUT /service DELETE /service OPTIONS /service -> to manage this preflight request

Here is a playground with the full example

Could someone help me to clarify my situation?

Thanks,

dbhoot commented 6 months ago

What's the origin your request is coming from? Most likely, the origin doesn't match and the cors middleware is aborting.

jub0bs commented 6 months ago

The callback assigned to AllowOriginFunc is incorrect because

https://domain1.es, https://domain2.es, https://www.domain1.es, https://www.domain2.es, http://ip, https://ip

is not a valid Web-origin value. And because that field, when set, takes precedence over AllowOrigins, the resulting CORS middleware is dysfunctional. cors.New could alert you to such misconfigurations by returning an error result, but it sadly doesn't. To fix your issue, just get rid of AllowOriginFunc in your Config struct.