401 errors are returned w/o CORS headers

[kirill-konshin]

Title: Cannot retrieve all tracks for a user

Issue found of: Dec 7th, 2021

Endpoint(s):

• GET /users/{id}/tracks

/me

Scope(s):

• None (application is not using authentication i.e., implicit flow)

Oauth with expired token

Steps to reproduce:

Send a request to any endpoint from Chrome browser with expired token.

Request:

Request URL: https://api.soundcloud.com/me? Request Method: GET Status Code: 401 Referrer Policy: strict-origin-when-cross-origin

Accept: application/json; charset=utf-8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,ru;q=0.8,zh-CN;q=0.7,zh-TW;q=0.6,zh;q=0.5 Authorization: OAuth XXX <----------EXPIRED TOKEN HERE Cache-Control: no-cache Connection: keep-alive Content-type: application/json; charset=utf-8 DNT: 1 Host: api.soundcloud.com Origin: http://localhost:3000 Pragma: no-cache Referer: http://localhost:3000/ sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36

Response:

Cache-Control: private, max-age=0 Connection: keep-alive Content-Encoding: gzip Content-Length: 147 Content-Type: application/json; charset=utf-8 Date: Tue, 07 Dec 2021 19:54:45 GMT referrer-policy: no-referrer Server: am/2 strict-transport-security: max-age=63072000; includeSubdomains; preload Via: 1.1 45645ff3269a2b885ffa1653e827d0f7.cloudfront.net (CloudFront) X-Amz-Cf-Id: ZoHJbbdVqJqZ-RH2uelcYiqaUBVA4nOenGbIBKIheynGWo-KzQysaA== X-Amz-Cf-Pop: SFO20-C1 X-Cache: Error from cloudfront x-content-type-options: nosniff x-frame-options: DENY x-robots-tag: noindex

P.S. Same applies to 500 and some other errors.

Expected behaviour:

Response should contain relevant CORS headers, otherwise it's not possible to see what is in response.

Actual behaviour:

In console:

Access to fetch at 'https://api.soundcloud.com/me?' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

GET https://api.soundcloud.com/me? net::ERR_FAILED 401

[dasha-kobzeva]

@kirill-konshin could you please provide more details on what kind of integration you have? Is it server-to-server?

[kirill-konshin]

@kirill-konshin could you please provide more details on what kind of integration you have? Is it server-to-server?

I am expecting the 401, since the token is expired, the problem is the missing CORS header. Ticket clearly indicates that I'm using Chrome: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 and sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96".

[dasha-kobzeva]

Thank you for pointing out. We will look into the issue and get back to you as soon as we can.

[dasha-kobzeva]

Hello @kirill-konshin,

we have identified an issue and deployed a fix. Please could you verify if the issue is resolved for you?

[kirill-konshin]

It works now for unauthorized request.

But it still fails for 500 errors (see ticket https://github.com/soundcloud/api/issues/170 for steps how I got 500 error):

Request:

Request URL: https://api.soundcloud.com/playlists/240322671? Request Method: PUT Status Code: 500 Referrer Policy: strict-origin-when-cross-origin Connection: keep-alive Date: Thu, 09 Dec 2021 22:01:22 GMT server: am/2 strict-transport-security: max-age=63072000; includeSubdomains; preload Transfer-Encoding: chunked Via: 1.1 a282f7d4f5ae65b33d809fbc6ea8641c.cloudfront.net (CloudFront) X-Amz-Cf-Id: bOxFPHYIZyvZNJY2rkQ-W-GjlotzMmJJNtKVAyExZaugilUJSrL-gA== X-Amz-Cf-Pop: SFO5-P1 X-Cache: Error from cloudfront Accept: application/json; charset=utf-8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,ru;q=0.8,zh-CN;q=0.7,zh-TW;q=0.6,zh;q=0.5 Authorization: OAuth XXX Cache-Control: no-cache

Response:

Connection: keep-alive Content-Length: 8986 Content-type: application/json; charset=utf-8 DNT: 1 Host: api.soundcloud.com Origin: http://localhost:3000 Pragma: no-cache Referer: http://localhost:3000/ sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36

No CORS header in response.

[dasha-kobzeva]

Im closing this ticket as resolved as 500 error has its own

[kirill-konshin]

@dasha-kobzeva these are different issues. 500 error in that ticket should not happen at all in a first place. And even if it does, this ticket is about missing headers.

[kirill-konshin]

@dasha-kobzeva I am still not getting proper CORS headers on 500 errors: https://github.com/soundcloud/api/issues/170#issuecomment-1036590884 when is this going to be addressed?

[dasha-kobzeva]

Hello @kirill-konshin, Due to capacity limitations and higher priorities, we are unable to address this issue at the moment. As soon as we can prioritize it, we will update the ticket.

[kirill-konshin]

Hello @kirill-konshin, Due to capacity limitations and higher priorities, we are unable to address this issue at the moment. As soon as we can prioritize it, we will update the ticket.

I understand. But the issue was reported 3 months ago, in December, it's a customer facing ugly issue, I am surprised it is not a priority.

[dasha-kobzeva]

@kirill-konshin we understand it is affecting our users and apologize for it, but so far we have not seen any similar reports. So cannot bump it up on the priority list.