Open andrei-s-making-science opened 6 months ago
olivermrbl
commented
6 months ago @andrei-s-making-science, thanks for sharing. Exemplary issue description.
Any chance you can provide a reproduction in a repository? That would make the time to resolution shorter.
andrei-s-making-science
commented
6 months ago @olivermrbl medusa.zip
You can remove the usage of medusa-plugin-strapi (in medusa-config.js, package.json), it should not affect the result.
Thanks for your help!
codeustad
commented
6 months ago Try with import * as cors from 'cors' in your middleware.
andrei-s-making-science
commented
6 months ago @codeustad will do that and will get back to you with the results.
What about necessity of the authenticate() middleware?
as i can see it is configured and stored in req.app._router.stack, but bearer token and api_token are not providing req.user for core /admin resources?
UPDATE:
import { MiddlewaresConfig, authenticate } from '@medusajs/medusa';
import { parseCorsOrigins } from 'medusa-core-utils';
import authorize from './middlewares/authorize';
import * as cors from 'cors';
export const config: MiddlewaresConfig = {
routes: [
{
// TODO: verify if analytics-config requires auth. Throwing CORS at the moment.
matcher: /^\/admin\/(?!auth|analytics-config|users\/reset-password|users\/password-token|invites\/accept).*/,
// TODO: verify why authenticate throws cors and why req.user doesn't exist in case no authenticate()
middlewares: [
cors.default({ credentials: true, origin: parseCorsOrigins(process.env.ADMIN_CORS ?? '') }),
authenticate(),
authorize,
],
},
],
};Looks like this helped. I believe this can be used as a temporary solution for us, huge thanks @codeustad, looks like i've messed up with import during my tests. Still having a question, which is described above 👀
Bug report
Describe the bug
Playing around with authorization middleware, bit similar to https://docs.medusajs.com/modules/users/backend/rbac
When adding a custom middleware with matcher for
/admin/*routes: For the core/adminroutes e.g.GET /admin/users:bearer tokenrequest -req.user.userIdis not defined ❌cookiesrequest -req.session.user_idis defined ✅api_tokenrequest -req.useris not defined ❌req.useris not defined,req.session.user_idis not defined ✅For
/admin/customroutes e.g.GET /admin/custom/rolesbearer tokenrequest -req.user.userIdis defined ✅cookiesrequest -req.session.user_idis defined ✅api_tokenrequest -req.useris defined as User object ✅req.useris not defined,req.session.user_idis not defined ✅Expected behaviour: For the core
/adminroutes e.g.GET /admin/users- 1. and 3. should definereq.user.user_idandreq.useraccordingly.Notes
Tried some workarounds described in: https://github.com/medusajs/medusa/issues/5964, which have other issues. See other sections below for more information.
Would really appreciate your help.
System information
Medusa version (including plugins): v1.20.2, (see the package.json below) Node.js version: v18 Database: Postgres Operating system: MacOS 12.5.1, Apple M1 Pro Browser (if relevant): Chrome
Steps to reproduce the behavior
Predecessor
Example:
Case 1. Middlewares
GET /admin/usersActual result:
req.user, req.session.user_idare undefined Expected result:req.user, req.session.user_idare definedCase 2. Middlewares with authenticate() middleware
GET /admin/usersExample:
Actual result:
req.user, req.session.user_idare defined, CORS error during request from admin UI for/admin/users(exceptions: some endpoints e.g./admin/products) Expected result:req.user, req.session.user_idare defined, CORS errors and not thrownCase 3. Middlewares with authenticate() and cors() middlewares
GET /admin/usersExample:
Actual result:
req.user, req.session.user_idare defined, CORS error during request from admin UI for/admin/users(exceptions: some endpoints e.g./admin/products) Expected result:req.user, req.session.user_idare defined, CORS errors and not thrownExpected behavior
No additional middlewares required or provide a solution of how to avoid the CORS issue.
Screenshots
CORS if authenticate() middleware applied:
No CORS for some admin endpoints:
Code snippets
Configuration
package.json
.env
admin ui is being accessed via http://localhost:7001. not sure if this information is required, as described in Summary section: CORS is being thrown in case authenticate() middleware applied and not every core /admin endpoint throws CORS.
Code
/src/api/middlewares.ts
/src/api/middlewares/authorize.ts
Not sharing a code as of redundancy, tried an empty log middleware - same result as described in Summary section e.g.
Additional context
Things i've tried:
authenticate()middleware -req.userwill be defined for the core/adminroutes, but CORS errors will appear on admin UI for some of the endpoints:GET /admin/users, GET /admin/store, GET /invites. Some of the endpoints do not throw CORS e.g.GET /admin/productscors()middleware - same issue as described in 1.req.app._router.stackin custom middleware contains the authenticate middleware, but looks like it's not applied.authenticate()orcors()middlewares, as they are in place, which seems to be right, but not sure exactly how medusa code operates, cannot even understand how v1 grabs the middlewares, found the code only for v2 (looks like i need more time for this).OPTIONS- CORS preflifght will return200instead of204and relevant request will fail. So i have to check for method in the middleware code and skipOPTIONSmethods.node_modulesnode_modules/@medusajs/medusa/dist/to debug - the issue disappeared. Can be a race condition of i'm missing something. But when i've tried to access without auth and then put it back on - it began again.