balderdashy/sails

CORS allowed origins doesn't work on per-route basis

Open

#6970 opened on Apr 13, 2020

View on GitHub
 (8 comments) (0 reactions) (0 assignees)JavaScript (22,778 stars) (1,953 forks)batch import
bugdocshelp wanted

Description

Node version: 12.14.0 (also tried on 8.17.0) Sails version (sails): 1.2.4 (issue also exists in 1.0.2) ORM hook version (sails-hook-orm): 2.1.1 Sockets hook version (sails-hook-sockets): 2.0.0 Organics hook version (sails-hook-organics): Grunt hook version (sails-hook-grunt): 4.0.0 Uploads hook version (sails-hook-uploads): DB adapter & version (e.g. sails-mysql@5.55.5): Skipper adapter & version (e.g. skipper-s3@5.55.5):

Issue

I created two client and server repositories in which you should be able to reproduce this issue, see the READMEs on how to run it. I also deployed the client and server on Heroku.

I was trying to implement the allowOrigins CORS setting on a per route basis and I noticed it wasn't working. The Access-Control-Allow-Origin wouldn't be set to the value I specified in the CORS dictionary of a single route which should be possible according to the docs.

I created a simple action in my UserController called test which just returns 'ok' which should only allowed to be called from https://some-domain.com but when I run the client in the repo above (which runs on on Heroku / localhost) I get a 200 response with an Access-Control-Allow-Origin header value of '*' (equal to my global CORS configuration) while I expected it to fail because I set the route to only allow requests from https://some-domain.com (see below).

Implementation

My implementation in config/routes.js:

'GET /test': {
  action: 'user/test',
  cors: {
    allowOrigins: ['https://somedomain.com'],
  },
},

Most related issue's where closed and I couldn't find an answer / solution to my problem.

Workaround

The workaround I used for now is to just include all domains in the global CORS allowOrigins configuration.

Edit: split the reproduction repository up into a separate client and server repository and added links to the apps on Heroku

Contributor guide

Tech stack
javascriptnodejs
Domain
backendapi
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic JavaScriptNode.jsSails frameworkCORS concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The issue reports that per route CORS allowOrigins configuration is ignored and the global setting is used instead. Investigate the route handling logic in Sails, specifically how CORS settings are merged or applied per route. Look at files like config/routes.js and any CORS middleware (likely in lib/hooks/cors or similar). Review the documentation and existing tests for per route CORS to understand expected behavior. Check if there's a known issue with how the allowOrigins array is processed versus string values. The fix likely involves ensuring that per route CORS settings override the global ones correctly.