Comments (13)
@codyzu ptal
from fastify-cors.
your regex is not good, use:
new RegExp(/http:\/\/localhost/)
from fastify-cors.
RegExp should handle the escaping correctly, no?
console.log(new RegExp('http://localhost'))
// prints: /http:\/\/localhost/
Which should turn it into: origin: /http:\/\/localhost/
from fastify-cors.
you wrote:
origin: new RegExp(/http://localhost/),
// not
origin: new RegExp('http://localhost'),
from fastify-cors.
oh my bad, that was a copy/paste error for the reproduction on my end. I actually use an ENV variable to fill the RegExp. I edited the reproduction above.
from fastify-cors.
I can't reproduce this on my machine with fastify-cors 5.0.0
.
Can you copy the request and response headers for the OPTIONS
request in the chrome dev tools network tab (right-click on the OPTIONS
request and copy the request/response headers)?
fastify-cors does not return 401
, so I would be suspicious of the authentication plugin. What are you using for auth?
from fastify-cors.
Hmm you are right, I found the issue in my own preHandler
hook that does the authentication. I was using req.context.config
to figure out which route is being called.
This now differs in version 5.0.0
(maybe intentionally? should I be using a different Fastify method to get this?)
4.1.0:
fastify.addHook('preHandler', (req, reply, done) => {
console.log(req.context.config)
// { url: '/api/login', method: 'POST' }
})
5.0.0:
fastify.addHook('preHandler', (req, reply, done) => {
console.log(req.context.config)
// { url: '*', method: 'OPTIONS' }
})
from fastify-cors.
req.routerPath
and req.routerMethod
would be the official way to check which router is handling the route (in place of req.context
).
The problem you are most likely seeing is that in fastify-cors 5.0.0 processing of a preflight request is done in a route: OPTIONS *
and you should not enforce authentication on that route. Try adding this to your preHandler
hook:
fastify.addHook('preHandler', (req, reply, done) => {
// Don't authenticate preflight requests
if(req.routerPath === '*' && req.routerMethod === 'OPTIONS') {
return done();
}
// Your authentication code ...
})
It could also be resolved by not having a global preHandler
hook for authentication and instead authenticating only the routes or plugins that require authentication.
@mcollina I believe this is a side effect of moving the preflight handling into a route (previously the response would have been handled in fastify-cors onRequest
hook). Consumers need to be careful not to enforce authentication on the preflight route... Do you see this as a problem? I can add an example in the docs π€
from fastify-cors.
In theory, a cors OPTIONS request should include all headers needed for auth/what would be included in the original request. It should be ok to perform auth for those requests.. could you do a quick check with a browser for both jwt and cookie based solutions?
from fastify-cors.
thanks for the pointer to req.routerPath
, I've added the preflight skip to the code on my end for now
from fastify-cors.
For simple CORS requests (requests that don't require pre-flighting), the headers are included.
For preflight requests (the CORS OPTIONS request), the browser removes the original request headers. Instead, it includes the name of the headers in Access-Control-Request-Headers
header, but not the values. See here.
I tested this with JWT, but not yet cookies. In any case, it seems like it will continue to create problems for anyone who authenticates all requests.
from fastify-cors.
@DRoet this should be resolved with the 5.1.0 release of fastify-cors, returning the pre 5.0.0 behavior and removing the need to not authenticate OPTIONS requests. With the default options, fastify-cors should now automatically reply to preflight requests before the authentication plugin.
AFAIK this can be closed.
from fastify-cors.
thanks!
from fastify-cors.
Related Issues (20)
- Lack of support with Fastify 4.x HOT 4
- doesnt' work with Typescript HOT 1
- Origin returns undefined HOT 14
- Latency when using a large JWT token HOT 7
- UnhandledPromiseRejectionWarning: AvvioError: Plugin must be a function or a promise HOT 1
- Allow the special `*` value in `array` in `origin` option HOT 3
- Setting for `Cache-Control` to allow preflight requests to be cached in CDNs HOT 1
- Error(s) in doc. HOT 1
- cacheControl default value is missing HOT 1
- Access-Control-Allow-Origin is not working when streaming the data HOT 6
- AvvioError [Error]: Plugin did not start in time: '[object Promise]' HOT 2
- Support Private Network CORS HOT 8
- Options Request Returns 404 running in bun HOT 1
- Missing type declaration file for β@fastify/corsβ module HOT 2
- preflight 404 on prefixed index routes in nested/scopted cors setups
- Multiple @fastify/cors HOT 2
- Do not always define `Vary` header HOT 1
- `preHandler` called twice when rejecting CORS HOT 5
- Vary with dynamic config
- Credentials header is added regardless of origin HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastify-cors.