search

openedx / frontend-app-authoring

Front-end for the Open edX Studio experience, implemented in React and Paragon.
GNU Affero General Public License v3.0
13 stars 75 forks source link

CORS errors when entering directly MFE host through the browser and not by redirections #1080

Open mariajgrimaldi opened 5 months ago

mariajgrimaldi commented 5 months ago

Description

When opening the https://apps.redwood.demo.edly.io/course-authoring/home directly w/o opening the https://studio.redwood.demo.edly.io and then being redirected, a CORS error is raised when trying to use the MFE. In this case the MFE doing the request for oauth2 to login into the studio and failed because of CORS. When I'm opening the Studio MFE from studio.redwood.demo.edly.io I became a logged in user and the login flow from MFE is not triggered.

Expected behavior

Request to became a Course creator is sent, an appropriate message is displayed

Actual behavior

I get an error Sorry, there was error with you request. Console logs:

home:1 Access to XMLHttpRequest at 'https://redwood.demo.edly.io/oauth2/authorize?client_id=cms-sso&redirect_uri=https%3A%2F%2Fstudio.redwood.demo.edly.io%2Fcomplete%2Fedx-oauth2%2F%3Fredirect_state%3DnWpdAjq4Qqrjji7z9koTja6UvhjoviKz&state=nWpdAjq4Qqrjji7z9koTja6UvhjoviKz&response_type=code&scope=user_id+profile+email' (redirected from 'https://studio.redwood.demo.edly.io/request_course_creator') from origin 'https://apps.redwood.demo.edly.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' 
header is present on the requested resource.
Screenshot 2024-06-05 at 15 25 26

Steps to reproduce

  1. Register a new User
  2. Open Studio https://apps.redwood.demo.edly.io/course-authoring/home
  3. Click on Becoming a course creator in Studio area below the text Are you staff on an existing Studio course? The course creator must give you access to the course. Contact the course creator or administrator for the course you are helping to author.
  4. Click on Request the abillity to create courses button.

Original issue: https://github.com/openedx/wg-build-test-release/issues/379

mariajgrimaldi commented 5 months ago

I'm not sure if this is the intended behavior, so I opened this issue to make sure. Feel free to close it if it's a non-issue.

mariajgrimaldi commented 5 months ago

I tested something similar in the learning MFE: I tried loading apps... instead of LMS host, then I tried to unenroll but didn't get any cors issue.

crathbun428 commented 2 weeks ago

@mariajgrimaldi - This is an interesting one. Thank you for reporting. It feels weird to allow someone that currently doesn't have access to Studio to make a request to get access to Studio and have the error message be: Sorry, there was an error with your request with little detail. Is this button being used somewhere on the backend? @jmakowski1123 or @sarina

As an alternative, I could see this being updated with a message letting the user know that they currently don't have permissions to access studio and let them know if they should have access, they should reach out to their course delivery team to be added to the appropriate course(s) as staff.

sarina commented 2 weeks ago

I think this is the same as the Limited Staff User issue: if we detect there are permissions errors in accessing a Studio page, you should get a message along the lines of "You don't have access to this page, if this is in error, please contact your site admin" or something.

crathbun428 commented 2 weeks ago

@sarina - Thanks, Sarina. This makes sense to me.

FYI - Maria, I'll update this bug's priority level.