Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow_headers config allways falls back to * #1133

Open
Mettwasser opened this issue Jan 3, 2025 · 12 comments
Open

allow_headers config allways falls back to * #1133

Mettwasser opened this issue Jan 3, 2025 · 12 comments

Comments

@Mettwasser
Copy link

Mettwasser commented Jan 3, 2025

Description
The error in question:

Invalid CORS configuration: Cannot combine `Access-Control-Allow-Credentials: true` with `Access-Control-Expose-Headers: *`

This is the config I am using:

cors:
  enable: true
  allow_credentials: true
  allow_methods:
    - POST
    - GET
    - PATCH
    - DELETE
  allow_headers:
    - Content-Type
  allow_origins:
    - http://test.mydomain.com:5173

Additionally, running cargo loco middleware --config yields this for cors

cors                   {"allow_credentials":true,"allow_headers":["Content-Type"],"allow_methods":["POST","GET","PATCH","DELETE"],"allow_origins":["http://test.mydomain.com:5173"],"enable":true,"max_age":null,"vary":["origin","access-control-request-method","access-control-request-headers"]}

which does look right to me.

To Reproduce

Use the config shown above

Expected Behavior

Start without this config error

Environment:
development

@kaplanelad
Copy link
Contributor

@Mettwasser
Copy link
Author

read this: https://stackoverflow.com/a/19744754/453641

my issue is that I did not set Access-Control-Expose-Headers to *, and it looks like the config overwrites it either way.
The config is set to Content-Type, but it still uses the wildcard..

@Mettwasser
Copy link
Author

@kaplanelad I'm completely desperate. The config seems to be ignored.

Running this config:

cors:
  enable: true
  # allow_credentials: true
  allow_headers:
    - content-type
    - x-request-id
    - x-powered-by
    - content-length
    - date
    - connection
  allow_origins:
    - http://localhost:5173/
    - http://localhost:5150

and requesting, result in these headers in the response:

HTTP/1.1 200 OK
set-cookie: session=b5024bd0-fb62-4e44-a725-aa743af66c4a; HttpOnly; Expires=Sun, 05 Jan 2025 00:00:18 GMT
content-type: application/json
vary: origin, access-control-request-method, access-control-request-headers
access-control-expose-headers: *
x-request-id: dd8ac820-f9c8-4e45-972c-b866a5dd04e9
x-powered-by: loco.rs
content-length: 216
date: Sat, 04 Jan 2025 23:00:18 GMT

I really don't know what I'm doing wrong here, since it looks right. Showing the config also looks right, but when actually running it, it seems like it's not applied correctly?

@Mettwasser
Copy link
Author

Mettwasser commented Jan 4, 2025

One more thing:
Manually adding a

tower_http::cors::CorsLayer::new()
    .allow_origin("http://localhost:5173".parse::<HeaderValue>().unwrap())
    .allow_credentials(true)

in after_routes,results in this header:

HTTP/1.1 200 OK
set-cookie: session=72075347-8f7c-4294-a98d-dafbe219a41e; HttpOnly; Expires=Sun, 05 Jan 2025 00:30:04 GMT
content-type: application/json
x-request-id: fdef5b56-6ba4-4934-ba8e-4ec58716b3e9
x-powered-by: loco.rs
vary: origin, access-control-request-method, access-control-request-headers
access-control-allow-credentials: true
access-control-allow-origin: http://localhost:5173
content-length: 216
date: Sat, 04 Jan 2025 23:30:04 GMT

which is correct. So I think this is 100% an issue with the config/how its applied.

@kaplanelad
Copy link
Contributor

kaplanelad commented Jan 5, 2025

Thanks for the catch, @Mettwasser!

Could you take a look at our setup here and help us identify what we might have missed?
https://github.com/loco-rs/loco/blob/master/src/controller/middleware/cors.rs

@Mettwasser
Copy link
Author

Mettwasser commented Jan 5, 2025

Thanks for the catch, @Mettwasser!

Could you take a look at our setup here and help us identify what we might have missed? https://github.com/loco-rs/loco/blob/master/src/controller/middleware/cors.rs

@kaplanelad No problem!

I might have found something, alltho I am not sure. Unfortunately I don't have the time to investigate further.
https://github.com/loco-rs/loco/blob/master/src/controller/middleware/cors.rs#L182-L237
Running the case

#[case("with_allow_headers", Some(vec!["token".to_string(), "user".to_string()]), None, None)]

Then debugging the response variable, the "token" and "user" are nowhere to be found in the headers.
image
Might be a good point to continue searching from.

@kaplanelad
Copy link
Contributor

@Mettwasser i'll check it

@kaplanelad
Copy link
Contributor

kaplanelad commented Jan 7, 2025

Hi @Mettwasser,

I've resolved this issue. Could you please test it by working with the cors-issues branch? Here's the link to the pull request for reference: #1152.

Let me know if it resolves your problem!

@Mettwasser
Copy link
Author

Hi @Mettwasser,

I've resolved this issue. Could you please test it by working with the cors-issues branch? Here's the link to the pull request for reference: #1152.

Let me know if it resolves your problem!

I'll get to it as soon as I can

@Mettwasser
Copy link
Author

@kaplanelad doesn't seem like it's fixed. Still the same error, using
loco-rs = { workspace = true, git = "https://github.com/loco-rs/loco", branch = "cors-issues" }
with this config:

server:
  # Port on which the server will listen. the server binding is 0.0.0.0:{PORT}
  port: 5150
  # The UI hostname or IP address that mailers will point to.
  host: http://localhost
  # Out of the box middleware configuration. to disable middleware you can changed the `enable` field to `false` of comment the middleware block
  middlewares: 
    static:
      enable: false
      must_exist: true
      precompressed: false
      folder:
        uri: "/"
        path: "frontend/build"
      # fallback: "frontend/build/index.html"
    
    cors:
      enable: true
      allow_credentials: true
      allow_methods:
        - GET
        - POST
        - PUT
        - DELETE
        - PATCH
        - OPTIONS
      allow_headers:
        - content-type
        - x-request-id
        - x-powered-by
        - content-length
        - date
        - connection
      allow_origins:
        - http://localhost:5173
        - http://localhost:5150
thread 'main' panicked at C:\Users\Anwender\.cargo\registry\src\index.crates.io-6f17d22bba15001f\tower-http-0.6.2\src\cors\mod.rs:804:9:
Invalid CORS configuration: Cannot combine `Access-Control-Allow-Credentials: true` with `Access-Control-Expose-Headers: *`

@Mettwasser
Copy link
Author

Manually creating the CorsLayer works fine:

CorsLayer::new()
    .allow_origin(AllowOrigin::list([
        "http://localhost:5173".parse::<HeaderValue>().unwrap(),
        "http://localhost:5150".parse::<HeaderValue>().unwrap(),
    ]))
    .allow_methods(AllowMethods::list([
        axum::http::Method::GET,
        axum::http::Method::POST,
        axum::http::Method::PUT,
        axum::http::Method::DELETE,
        axum::http::Method::PATCH,
        axum::http::Method::OPTIONS,
    ]))
    .allow_headers(AllowHeaders::list([
        HeaderName::from_lowercase(b"content-type").unwrap(),
        HeaderName::from_lowercase(b"x-request-id").unwrap(),
        HeaderName::from_lowercase(b"x-powered-by").unwrap(),
        HeaderName::from_lowercase(b"content-length").unwrap(),
        HeaderName::from_lowercase(b"date").unwrap(),
        HeaderName::from_lowercase(b"connection").unwrap(),
    ]))
    .allow_credentials(true)

@kaplanelad
Copy link
Contributor

I copied your Cors configuration again, and the server is successfully running.
image

Can you make sure that you are working with the update code? working from the master is good also, the PR was merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants