search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.38k stars 5.43k forks source link

CORS config not appearing Gitea Console Settings and not sure it is taking effect (FastAPI Swagger OAuth flow) #31378

Closed elapse2039 closed 2 months ago

elapse2039 commented 3 months ago

Description

I have run into a CORS issue that I am maybe misunderstanding or misconfiguration.

What I'm wondering is which thing (the server or gitea) is complaining about CORS during the OAuth flow?

(Please note: I've replaced domain with mydomain.com)

I have...

In Swagger, I open the popup and when I authorize I get directed to Gitea website to login successfully but when coming back to the Swagger page, I see some flickering and this screenshot.

ksnip_20240614-105544

I see this in my browser console...

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gitea.mydomain.com/login/oauth/access_token. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gitea.mydomain.com/login/oauth/access_token. (Reason: CORS request did not succeed). Status code: (null).

ksnip_20240614-110948

(I dont get why there is a NS_ERROR_DOM_BAD_URI error.)

In fastapi project, I have included CORS

    origins = [
        "https://gitea.myserver.com",
    ]

    app.add_middleware(
        CORSMiddleware,
        allow_origins=origins,
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
    )

In Gitea I've also tried enabling CORS... but I dont see this appear in the Gitea Console.

[cors]
ENABLED = true
ALLOW_DOMAIN = mydomain.com
ALLOW_SUBDOMAIN = true
ALLOW_CREDENTIALS = true
HEADERS = Content-Type,User-Agent                
METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS

The OAuth flow is based on FastAPI docs and had some success integrating to Gitea OAuth Provider if I have explict APIs but not if I try and use Swagger UI which is what I'd really like to have working.

So my two questions:

  1. Should I see CORS section in Gitea and how can I know it is actually working?
  2. Which service is complaining about CORS? myserver.mydomain.com or gitea.mydomain.com?

Gitea Version

1.22

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

linux

How are you running Gitea?

Self hosted via docker compose.

Database

None

wxiaoguang commented 3 months ago

I ever worked on the CORS related code ( Refactor CORS handler #28587 ). IIRC the minimal config is:

[cors]
ENABLED = true
; or also comment the ALLOW_DOMAIN out:: list of requesting origins that are allowed, eg: "https://*.example.com", default to "*"
;ALLOW_DOMAIN = *

(unfortunately there is no easy way to check from console to see whether the config is correctly applied .... if the config file is right, it should work IMO)

elapse2039 commented 3 months ago

Thanks for the clarification.

I am not seeing this make any difference.

One detail: The gitea server is behind an NGINX transparent proxy.

Possibly a solution.... I have found by adding a set of CORS headers that specify allowed origins for myserver.mydomain.com to the NGINX gitea proxy then myserver.mydomain.com can successfully make calls to gitea.mydomain.com.

Questions...

I am not sure if CORS headers are expected to traverse a NGINX proxy?

I havent tried placing Gitea service in front... but wondering if you would/should have CORS defined at NGINX or whether there is a problem with Gitea CORS?

wxiaoguang commented 3 months ago

Questions...

I am not sure if CORS headers are expected to traverse a NGINX proxy?

According to #28587 and related user feedbacks, I think Gitea should be able to handle CORS correctly. No idea why it doesn't respond correctly in your environment.

If the CORS is correctly enabled, you could see a startup log saying: CORS Service Enabled

GiteaBot commented 2 months ago

We close issues that need feedback from the author if there were no new comments for a month. :tea: