The original problem was the inability to change the Access-Control-Allow-Origin header, I could change all the other headers but this one refused to change from "*" which means any other site can connect, kind of defeats the purpose of cors if I can't lock it down to only my url!
Digging into the code I found that in /root/node_modules/peer/dist/src/api/index.js it is using cors_1.default
(see https://expressjs.com/en/resources/middleware/cors.html)
The default configuration is the equivalent of:
This is over riding any attempt by me to change the the 'Access-Control-Allow-Origin' header
The solution was to comment out the one line in index.js => //app.use(cors_1.default());
server.listen(9000);
`
Now the 'Access-Control-Allow-Origin' was being set for my site!
Response Headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, OPTIONS, GET
Access-Control-Allow-Origin: https://myIncredibleSite.com
Connection: keep-alive
Content-Length: 36
Content-Type: text/html; charset=utf-8
Date: Sat, 27 Nov 2021 00:32:01 GMT
ETag: W/"24-qROaMSL2j4dbBprousQgu07UvSw"
Keep-Alive: timeout=5
X-Powered-By: Express``
However still not 100% as no cookies were being sent in the request headers using peerjs.js in the browser....
digging again..! I found that peerjs.js is using fetch as opposed to xhr.
I changed the 'fetch' line to:
fetch(url,{credentials: 'include'})]; (there are 2 fetch one for getting the id and the other: listAllPeers)
credentials: include adds cookies to the request, I needed this to track/check the session cookie.
Now I am getting cookies sent in the request as well!
Hopefully this will help someone, CORS is a difficult beast!
I recommend finally doing a test run on a different site to check that cors is actually working the way you expect.
The original problem was the inability to change the Access-Control-Allow-Origin header, I could change all the other headers but this one refused to change from "*" which means any other site can connect, kind of defeats the purpose of cors if I can't lock it down to only my url!
Digging into the code I found that in /root/node_modules/peer/dist/src/api/index.js it is using cors_1.default (see https://expressjs.com/en/resources/middleware/cors.html) The default configuration is the equivalent of:
{ "origin": "*", "methods": "GET,HEAD,PUT,PATCH,POST,DELETE", "preflightContinue": false, "optionsSuccessStatus": 204 }
This is over riding any attempt by me to change the the 'Access-Control-Allow-Origin' header The solution was to comment out the one line in index.js => //app.use(cors_1.default());
Then my code: `const fs = require('fs'); const https = require('https'); const express = require('express'); const { ExpressPeerServer } = require('peer');
const app = express();
const options = { key: fs.readFileSync('../../etc/ssl/**.key'), //server.key'), cert: fs.readFileSync('../../etc/ssl/**.crt'),//,server.crt')
};
const server = https.createServer(options, app);
const peerServer = ExpressPeerServer(server, { debug: true, path: '/' });
app.use(function(req, res, next) { // CORS headers see /root/node_modules/peer/dist/src/api/index.js comment out: //app.use(cors_1.default()); // with GET browser doesn't always send preflight OPTIONS request - https://stackoverflow.com/questions/38742379/cors-why-my-browser-doesnt-send-options-preflight-request res.setHeader('Access-Control-Allow-Origin', 'https://myIncredibleSite.com'); res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS, GET'); res.setHeader('Access-Control-Allow-Credentials', true);
});
app.use('/', peerServer);
server.listen(9000); ` Now the 'Access-Control-Allow-Origin' was being set for my site! Response Headers:
Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, OPTIONS, GET Access-Control-Allow-Origin: https://myIncredibleSite.com Connection: keep-alive Content-Length: 36 Content-Type: text/html; charset=utf-8 Date: Sat, 27 Nov 2021 00:32:01 GMT ETag: W/"24-qROaMSL2j4dbBprousQgu07UvSw" Keep-Alive: timeout=5 X-Powered-By: Express``
However still not 100% as no cookies were being sent in the request headers using peerjs.js in the browser.... digging again..! I found that peerjs.js is using fetch as opposed to xhr.
I changed the 'fetch' line to:
fetch(url,{credentials: 'include'})];
(there are 2 fetch one for getting the id and the other: listAllPeers)credentials: include adds cookies to the request, I needed this to track/check the session cookie.
Now I am getting cookies sent in the request as well!
Hopefully this will help someone, CORS is a difficult beast! I recommend finally doing a test run on a different site to check that cors is actually working the way you expect.
Andrew