alexgarel
commented
2 years ago @alexfauquette, so sorry I didn't manage to do it. I'm lending it to @stephanegigandet.
On using cur l to test it, this can help.
Closed alexfauquette closed 2 years ago
alexgarel
commented
2 years ago @alexfauquette, so sorry I didn't manage to do it. I'm lending it to @stephanegigandet.
On using cur l to test it, this can help.
stephanegigandet
commented
2 years ago @alexfauquette I deployed https://github.com/openfoodfacts/openfoodfacts-server/pull/7022 in production, can you check if it works for you?
alexfauquette
commented
2 years ago @stephanegigandet I added a console log to verify in production what JS have access to: The following script is run when loading the page https://hunger.openfoodfacts.org/logos/search
axios.get("https://world.openfoodfacts.org/cgi/auth.pl", { withCredentials: true })
.then((rep) => console.log({ rep }))
.catch((err) => console.log({ err }));The line you added allows sending the cookies. What is missing is the Access-Control-Allow-Origin
since for know it seems I'm the only JS app using it you can set Access-Control-Allow-Origin: https://hunger.openfoodfacts.org
I tried with the extension Moesif Origin & CORS Changer which allows to modify the response header.
With Access-Control-Allow-Origin: https://hunger.openfoodfacts.org or Access-Control-Allow-Origin: * I can see in the axios response if I'm logged in (code 200) or not (code 403) compared to now where I always get a message "network error"
stephanegigandet
commented
2 years ago since for know it seems I'm the only JS app using it you can set Access-Control-Allow-Origin: https://hunger.openfoodfacts.org
mmmh. I'm not sure about that. Folksonomy Engine uses /cgi/auth.pl as well. cc @CharlesNepote @cquest
I can put Access-Control-Allow-Origin: * , I guess, the only thing this script does is to check if a session is opened.
stephanegigandet
commented
2 years ago @alexfauquette does it work now?
alexfauquette
commented
2 years ago Does not seems to work. I search bit on the internet what could be wrong. Seems * is not working with credential
https://httptoolkit.tech/blog/how-to-debug-cors-errors/
- The response must include a
Access-Control-Allow-Originheader, whose value either matches the page's origin or is *. The page's origin is sent in the request in anOriginheader.- If the request included credentials (e.g.
fetch(url, { credentials: 'include' })) then the response headers must includeAccess-Control-Allow-Credentials: true, and theAccess-Control-Allow-Originheader must match exactly (i.e.*is not allowed).
About Folksonomy Engine, from what I understand, it is added to the main website, so the origin website and the server are the same
alexgarel
commented
2 years ago @stephanegigandet if you add the header in perl for Access-Control-Allow-Origin, using the "referer" header from request this might superseed nginx headers.
stephanegigandet
commented
2 years ago @alexfauquette Can you try again?
wget -S --header "Origin: https://hunger.openfoodfacts.org/" https://world.openfoodfacts.org/cgi/auth.pl --2022-07-08 12:01:07-- https://world.openfoodfacts.org/cgi/auth.pl Résolution de world.openfoodfacts.org (world.openfoodfacts.org)… 213.36.253.206 Connexion à world.openfoodfacts.org (world.openfoodfacts.org)|213.36.253.206|:443… connecté. requête HTTP transmise, en attente de la réponse… HTTP/1.1 403 Forbidden Server: nginx/1.10.3 Date: Fri, 08 Jul 2022 10:01:07 GMT Content-Type: text/html; charset=ISO-8859-1 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://hunger.openfoodfacts.org/ 2022-07-08 12:01:07 erreur 403 : Forbidden.
alexfauquette
commented
2 years ago It works when not logged in but not when logged in.
The first request is done when not logged in (nb of cookies is 0 and the request status is 403) The second request is done after being logged to the main website (nb of cookies is 1 and the status is CORS error)
stephanegigandet
commented
2 years ago @alexfauquette ok I think it is working now :)
alexgarel
commented
2 years ago @stephane, could we also enable the CORS to be enabled for openfoodfact.localhost ? To ease development.
alexgarel
commented
2 years ago @stephanegigandet as discussed today we should handle the port, so that hunger game developers can test on a preprod server.
alexfauquette
commented
2 years ago @stephanegigandet Thanks 🎉 By curiosity, what did you change to make it work?
stephanegigandet
commented
2 years ago This should be fixed
Is your feature request related to a problem? Please describe.
In Hunger Games, requests to verify if a user is logged in or not fail due to a CORS issue
Tod do so I tried
axios.get("https://world.openfoodfacts.org/cgi/auth.pl");More information in the following PR I merge to be sure it was falling under hunger.openfoodfacts.org domain name https://github.com/openfoodfacts/openfoodfacts-hungergames/pull/290
In brief, I need to set
withCredentials=trueto let send the cookies, toworld.openfoodfacts.orgbut I can not read the answer if the response header does not containAccess-Control-Allow-Credentials=trueDescribe the solution you'd like
Access-Control-Allow-Credentials=truewhen the request comes fromhunger.openfoodfacts.org