search

vechain / thor

A general purpose blockchain highly compatible with Ethereum's ecosystem
GNU Lesser General Public License v3.0
799 stars 246 forks source link

v1.0.2 CORS is broken, had to rollback to 1.0.1 #141

Closed bradleySuira closed 6 years ago

bradleySuira commented 6 years ago

Hi there, the cors for the v1.0.2. is broken

OS Version:

Linux/OSX

Container

 ---
- name: thor container
  docker_container:
    name: thor-test
    image: vechain/thor:latest
    command: --verbosity 5 --network test --api-addr=0.0.0.0:8669 --api-cors "yourdoman.com, http://test.domain.com"
    state: started
    ports:
    - "0.0.0.0:8669:8669"
    - "11235:11235/udp"
    - "11235:11235"
    volumes:
    - /opt/vechain/test/.org.vechain.thor:/root/.org.vechain.thor

Commit hash

(I think that the problem it does look like this line): (https://github.com/vechain/thor/commit/881778535a8b31eada1c30d95daefb5b5250eb4c#diff-9451fba7d1d3546d6cea4605d78979f0L268)

Expected behavior

Allow requests from urls passed in --api-cors option.

Actual behavior

Get the error: Failed to load http://yourdomain:8669/blocks/0: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://yourdomain:PORT' is therefore not allowed access.

Steps to reproduce the behavior

  1. Upgrade to the latest version of thor (v1.0.2)
  2. Make a request from your working app
qianbin commented 6 years ago

@bradleySuira the CORS codes was moved to https://github.com/vechain/thor/commit/881778535a8b31eada1c30d95daefb5b5250eb4c#diff-604f4192deea5adf9c159e5f88f64630R71

I just tried to test with curl: start thor with

thor -network test -api-cors 'http://example.com'
Starting Thor/v1.0.2-41b0c69-release/darwin/go1.10.4
...

access with curl

curl -H "Origin: http://example.com" --verbose http://localhost:8669/blocks/0

and it outputs

*   Trying 127.0.0.1...
...
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://example.com
...

which shows CORS is working.

bradleySuira commented 6 years ago

Hi @qianbin thanks a lot for your response, but the behaviour in the browser is different vs CURL:

screen shot 2018-09-03 at 12 03 56 pm

If CORS is ok we should receive in the response, the header Access-Control-Allow-Origin: xxxxx, if not, in the browser we get an error.

curl -H "Origin: http://slots.dbet.local:3007" -H "Host:slots.dbet.local" --verbose http://localhost:8669/blocks/0

Request:

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8669 (#0)
> GET /blocks/0 HTTP/1.1
> Host:slots.dbet.local
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: http://slots.dbet.local:3007

Response:

No Access-Control-Allow-Origin: http://slots.dbet.local:3007 here

< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< X-Genesis-Id: 0x000000003a3e7437634e9ab026cd279a88a8f086c2f332421d424668ac976bc7
< Date: Mon, 03 Sep 2018 17:08:19 GMT
< Content-Length: 637
<
* Connection #0 to host localhost left intact
{"number":0,"id":"0x000000003a3e7437634e9ab026cd279a88a8f086c2f332421d424668ac976bc7","size":170,"parentID":"0xffffffff00000000000000000000000000000000000000000000000000000000","timestamp":1526400000,"gasLimit":10000000,"beneficiary":"0x0000000000000000000000000000000000000000","gasUsed":0,"totalScore":0,"txsRoot":"0x45b0cfc220ceec5b7c1c62c4d4193d38e4eba48e8815729ce75f9c0ab0e4c1c0","stateRoot":"0xaed7d0fab0bc7c920f7e74c5eb8c1919129130c323ffa52182574ff196b89901","receiptsRoot":"0x45b0cfc220ceec5b7c1c62c4d4193d38e4eba48e8815729ce75f9c0ab0e4c1c0","signer":"0x0000000000000000000000000000000000000000","isTrunk":true,"transactions":[]}%
qianbin commented 6 years ago

@bradleySuira so the node was started with -api-cors 'http://slots.dbet.local:3007' ?

libotony commented 6 years ago

@bradleySuira I started the thor using docker with folllowing command

docker run -it -p 127.0.0.1:8669:8669 -p 11235:11235 -p 11235:11235/udp vechain/thor --network test --api-addr :8669 --api-cors "http://slots.dbet.local:3007"

# Starting Thor/v1.0.2-41b0c69-release/linux/go1.10.4

And I tried test using curl, it works for me

curl -H "Origin: http://slots.dbet.local:3007" --verbose http://localhost:8669/blocks/0

*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8669 (#0)
> GET /blocks/0 HTTP/1.1
> Host: localhost:8669
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: http://slots.dbet.local:3007
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://slots.dbet.local:3007
< Content-Type: application/json; charset=utf-8
< X-Genesis-Id: 0x000000000b2bce3c70bc649a02749e8687721b09ed2e15997f466536b20bb127
< Date: Tue, 04 Sep 2018 03:02:22 GMT
< Content-Length: 637
<
* Connection #0 to host localhost left intact
{"number":0,"id":"0x000000000b2bce3c70bc649a02749e8687721b09ed2e15997f466536b20bb127","size":170,"parentID":"0xffffffff00000000000000000000000000000000000000000000000000000000","timestamp":1530014400,"gasLimit":10000000,"beneficiary":"0x0000000000000000000000000000000000000000","gasUsed":0,"totalScore":0,"txsRoot":"0x45b0cfc220ceec5b7c1c62c4d4193d38e4eba48e8815729ce75f9c0ab0e4c1c0","stateRoot":"0x4ec3af0acbad1ae467ad569337d2fe8576fe303928d35b8cdd91de47e9ac84bb","receiptsRoot":"0x45b0cfc220ceec5b7c1c62c4d4193d38e4eba48e8815729ce75f9c0ab0e4c1c0","signer":"0x0000000000000000000000000000000000000000","isTrunk":true,"transactions":[]}%
bradleySuira commented 6 years ago

@qianbin yes with -api-cors 'http://slots.dbet.local:3007'. Thanks @libotony, I think that I figure out whats the problem, It is related to docker-compose, for example, you can have issues with CORS, If you run:

docker run -it -p 8669:8669 -p 11235:11235 -p 11235:11235/udp vechain/thor --network test --api-addr :8669 --api-cors "http://slots.dbet.local:3007"

The difference is without the ip:port 127.0.0.1: 8669:8669, it's equivalent to our docker-compose, where the ip/port binding I think is not translated correctly, this is an example from docker-compose, as you can see, I tried to do the same ("127.0.0.1:8669:8669"), like you on command line docker run -it -p 127.0.0.1:8669:8669...

thor:
    image: vechain/thor:latest
    container_name: "thor-node"
    ports:
      - "127.0.0.1:8669:8669"
      - "11235:11235"
      - "11235:11235/udp"
    command: --network test --api-addr 0.0.0.0:8669 --api-cors "http://localhost:3007, http://dbet.slots.local:3007"
    volumes:
      - ./data/.org.vechain.thor:/root/.org.vechain.thor

Thanks for your patience and all your help guys!, and sorry for the confusion. We need to figure out how to deal with this blocker with compose/kubernetes

wupeaking commented 5 years ago

I don't think it's a CORS problem. This is because the loopback address is bound by default. If you are using docker for mac, you need to add the --api-addr parameter when starting. I hope the official can indicate it in the documentation. @libotony

libotony commented 5 years ago

@wupeaking It's documented in the readme

wupeaking commented 5 years ago

@libotony sorry, I didn't notice this detail before. This is my mistake