search

ory / cli

Create bulk action scripts, automate your tasks, manage your projects, and seamlessly interact with the Ory Network using the Ory command line interface (CLI).
https://www.ory.sh/cli?utm_source=github&utm_medium=banner&utm_campaign=cli
Apache License 2.0
43 stars 22 forks source link

`ory proxy` exposes duplicate cors headers when already configured upstream #344

Open JuxhinDB opened 6 months ago

JuxhinDB commented 6 months ago

Preflight checklist

Ory Network Project

https://goofy-dewdney-rri0sodzzj.projects.oryapis.cojm

Describe the bug

We have a use-case to use the ory proxy auxiliary function to proxy our dev environment locally along with the ory session handler. This enables frontend developers to work on the UI while being authenticated correctly.

The issue arises when upstream services already handle CORS headers for you. The proxy will add it's own CORS headers as part of the proxy middleware, which results in duplicate headers, causing CORS to fail in the browser. The only solution right now was to fork and patch the cli with the following patch.

diff --git a/cmd/cloudx/proxy/proxy.go b/cmd/cloudx/proxy/proxy.go
index a5c9f82..cb57b43 100644
--- a/cmd/cloudx/proxy/proxy.go
+++ b/cmd/cloudx/proxy/proxy.go
@@ -223,6 +223,12 @@ func run(cmd *cobra.Command, conf *config, version string, name string) error {
            return body, nil
        }),
        proxy.WithRespMiddleware(func(resp *http.Response, config *proxy.HostConfig, body []byte) ([]byte, error) {
+
+           // Remove a duplicate Access Control header
+           resp.Header.Del("Access-Control-Allow-Origin")
+           // Remove a duplicate Access Allow Credentuals header
+           resp.Header.Del("Access-Control-Allow-Credentials")
+
            l, err := resp.Location()
            if err == nil {
                // Redirect to main page if path is the default ui welcome page.
@@ -239,17 +245,16 @@ func run(cmd *cobra.Command, conf *config, version string, name string) error {
        return nil
    }

-   var originFunc func(r *http.Request, origin string) bool
-   if conf.isDev {
-       originFunc = func(r *http.Request, origin string) bool {
-           return true
-       }
+   originFunc := func(r *http.Request, origin string) bool {
+       return true
    }

+   corsOrigins := []string{"http://localhost:3000", "http://localhost:4000"}
+
    proto := "http"
    addr := fmt.Sprintf(":%d", conf.port)
    ch := cors.New(cors.Options{
-       AllowedOrigins:         conf.corsOrigins,
+       AllowedOrigins:         corsOrigins,
        AllowOriginRequestFunc: originFunc,
        AllowedMethods:         corsx.CORSDefaultAllowedMethods,
        AllowedHeaders:         append(corsx.CORSRequestHeadersSafelist, corsx.CORSRequestHeadersExtended...),

Reproducing the bug

  1. Have an upstream service that handles CORS headers;
  2. Run the ory proxy: ory proxy --dev --project goofy-dewdney-rri0sodzzj $upstream
  3. Access the login url: http://localhost:4000/.ory/self-service/login/browser?return_to=http://localhost:3000
  4. Login

This will result in you getting redirected to http://localhost:3000/, which will fetch an api endpoint through the proxy. The response of the proxied request will contain duplicate CORS headers, leading to CORS failure in the browser.

Relevant log output

No response

Relevant configuration

No response

Version

Version: v0.3.4 Git Hash: 654e4987a7c0a6111988dccb158541329ec36c9f Build Time: 2024-02-10T10:29:21Z

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Binary

Additional Context

No response

aeneasr commented 6 months ago

Hey - awesome find! Would you mind creating a PR for this? :) Looks like you already have the diff :)

sahra-karakoc commented 3 weeks ago

I am running into the same problem for ory tunnel, what is the current state of this issue?

JuxhinDB commented 3 weeks ago

Didn't have time to fix this unfortunately, but you should be able to apply the patch locally (assuming things didn't change much) and build the binaries. Otherwise a PR fix would be ideal for the maintainers.

sahra-karakoc commented 3 weeks ago

I disabled CORS for my Ory project using the Ory CLI and that fixed my problem 

ory patch project <your-project-id> \
  --replace '/cors_public/enabled=false' \