search

resgateio / resgate

A Realtime API Gateway used with NATS to build REST, real time, and RPC APIs, where all your clients are synchronized seamlessly.
https://resgate.io
MIT License
685 stars 67 forks source link

CORS - allowing content-type on headers #171

Closed g-belmonte closed 4 years ago

g-belmonte commented 4 years ago

Greetings!

I've been dealing with an application that has different servers for the frontend and its API. Resgate is the entrypoint for the API, and I was trying to do some REST requests from the frontend, but having trouble when setting the header "Content-Type: application/json", because resgate's answer didn't have the header "Access-Control-Allow-Headers: content-type". I added it to the code, and things started to work perfectly for me.

If you think this change might bring value to the project, here's the PR: https://github.com/resgateio/resgate/pull/173

g-belmonte commented 4 years ago

I was solving this issue with @raphaelpereira, and I saw we both opened a PR for that. (the other PR is https://github.com/resgateio/resgate/pull/172)

Please, fell free to close one of them :smile:

jirenius commented 4 years ago

Hi @g-belmonte and @raphaelpereira

Sorry for the slow response. Week has been mightily busy.

Great that you guys made it work! (and made me aware of the issue 😃 )

172 (and #173) covers the most common case with Content-Type, but better to cover it completely.

Since request headers will have no side-effects with Resgate, and attempts to forge headers such as X-Forwarded-Host can easily be countered at the reverse proxy if some RES-service for some weird reason should depend on it. So.. yeah, I think it is safe to allow any headers.

But, with those changes, I actually made my own branch where the Access-Control-Request-Headers value is mirrored to the Access-Control-Allowed-Headers (I am not sure how well the browsers supports the *-wildcard, so mirroring is more safe).

https://github.com/resgateio/resgate/tree/feature/gh-171-cors-access-control-allow-headers

If you have the time, please try it out to see if it solves your issue.

g-belmonte commented 4 years ago

No worries, @jirenius! Actually, thanks for spending time taking a look at this issue. Time is a scarce resource :smiley:

Well, my fix worked until I had to do a request with authorization. Then I had to add Access-Control-Allow-Headers: authorization to the headers and I started to think "what other headers am I missing?"... so, I do think that mirroring the Access-Control-Request-Headers would be an easy way forward! I'll go test your branch, and I'll be back soon with the results :smile:

g-belmonte commented 4 years ago

And yes, your branch is working perfectly :smile: :+1:

jirenius commented 4 years ago

Great! Thanks for the help.

I'll have the branch merged to develop, and then release a patch version of Resgate instead of waiting for next minor release.

jirenius commented 4 years ago

Resolved in #174