Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How I successfully enabled CORS with 'Access-Control-Allow-Origin' and request.cookies #269

Open
rushglen opened this issue Nov 27, 2021 · 0 comments
Open

How I successfully enabled CORS with 'Access-Control-Allow-Origin' and request.cookies #269

rushglen opened this issue Nov 27, 2021 · 0 comments
Labels
server

Comments

@rushglen
Copy link

The original problem was the inability to change the Access-Control-Allow-Origin header, I could change all the other headers but this one refused to change from "*" which means any other site can connect, kind of defeats the purpose of cors if I can't lock it down to only my url!

Digging into the code I found that in /root/node_modules/peer/dist/src/api/index.js it is using cors_1.default
(see https://expressjs.com/en/resources/middleware/cors.html)
The default configuration is the equivalent of:

{
"origin": "*",
"methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"preflightContinue": false,
"optionsSuccessStatus": 204
}

This is over riding any attempt by me to change the the 'Access-Control-Allow-Origin' header
The solution was to comment out the one line in index.js => //app.use(cors_1.default());

Then my code:
`const fs = require('fs');
const https = require('https');
const express = require('express');
const { ExpressPeerServer } = require('peer');

const app = express();

const options = {
key: fs.readFileSync('../../etc/ssl/.key'), //server.key'),
cert: fs.readFileSync('../../etc/ssl/.crt'),//,server.crt')
};

const server = https.createServer(options, app);

const peerServer = ExpressPeerServer(server, {
debug: true,
path: '/'
});

app.use(function(req, res, next) {
// CORS headers see /root/node_modules/peer/dist/src/api/index.js comment out: //app.use(cors_1.default());
// with GET browser doesn't always send preflight OPTIONS request - https://stackoverflow.com/questions/38742379/cors-why-my-browser-doesnt-send-options-preflight-request
res.setHeader('Access-Control-Allow-Origin', 'https://myIncredibleSite.com');
res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS, GET');
res.setHeader('Access-Control-Allow-Credentials', true);

if ( req.method === 'OPTIONS' ) {
	console.log('req.method == options');
	res.writeHead(200);
	res.end();
	
}
next();

});

app.use('/', peerServer);

server.listen(9000);
`
Now the 'Access-Control-Allow-Origin' was being set for my site!
Response Headers:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, OPTIONS, GET
Access-Control-Allow-Origin: https://myIncredibleSite.com
Connection: keep-alive
Content-Length: 36
Content-Type: text/html; charset=utf-8
Date: Sat, 27 Nov 2021 00:32:01 GMT
ETag: W/"24-qROaMSL2j4dbBprousQgu07UvSw"
Keep-Alive: timeout=5
X-Powered-By: Express``

However still not 100% as no cookies were being sent in the request headers using peerjs.js in the browser....
digging again..! I found that peerjs.js is using fetch as opposed to xhr.

I changed the 'fetch' line to:
fetch(url,{credentials: 'include'})]; (there are 2 fetch one for getting the id and the other: listAllPeers)

credentials: include adds cookies to the request, I needed this to track/check the session cookie.

Now I am getting cookies sent in the request as well!

Hopefully this will help someone, CORS is a difficult beast!
I recommend finally doing a test run on a different site to check that cors is actually working the way you expect.

Andrew
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rushglen @irgalamarr