balderdashy/sails

CORS allowed origins doesn't work on per-route basis

Open

#6970 aperta il 13 apr 2020

Vedi su GitHub
 (8 commenti) (0 reazioni) (0 assegnatari)JavaScript (1953 fork)batch import
bugdocshelp wanted

Metriche repository

Star
 (22.778 star)
Metriche merge PR
 (Merge medio 23h 44m) (1 PR mergiata in 30 g)

Descrizione

Node version: 12.14.0 (also tried on 8.17.0) Sails version (sails): 1.2.4 (issue also exists in 1.0.2) ORM hook version (sails-hook-orm): 2.1.1 Sockets hook version (sails-hook-sockets): 2.0.0 Organics hook version (sails-hook-organics): Grunt hook version (sails-hook-grunt): 4.0.0 Uploads hook version (sails-hook-uploads): DB adapter & version (e.g. sails-mysql@5.55.5): Skipper adapter & version (e.g. skipper-s3@5.55.5):

Issue

I created two client and server repositories in which you should be able to reproduce this issue, see the READMEs on how to run it. I also deployed the client and server on Heroku.

I was trying to implement the allowOrigins CORS setting on a per route basis and I noticed it wasn't working. The Access-Control-Allow-Origin wouldn't be set to the value I specified in the CORS dictionary of a single route which should be possible according to the docs.

I created a simple action in my UserController called test which just returns 'ok' which should only allowed to be called from https://some-domain.com but when I run the client in the repo above (which runs on on Heroku / localhost) I get a 200 response with an Access-Control-Allow-Origin header value of '*' (equal to my global CORS configuration) while I expected it to fail because I set the route to only allow requests from https://some-domain.com (see below).

Implementation

My implementation in config/routes.js:

'GET /test': {
  action: 'user/test',
  cors: {
    allowOrigins: ['https://somedomain.com'],
  },
},

Most related issue's where closed and I couldn't find an answer / solution to my problem.

Workaround

The workaround I used for now is to just include all domains in the global CORS allowOrigins configuration.

Edit: split the reproduction repository up into a separate client and server repository and added links to the apps on Heroku

Guida contributor

Direzione di ricerca
Il problema segnala che la configurazione CORS allowOrigins per ogni route viene ignorata e viene invece utilizzata l'impostazione globale. Indaga la logica di gestione delle route in Sails, in particolare come le impostazioni CORS vengono unite o applicate per ogni route. Esamina file come config/routes.js e qualsiasi middleware CORS (probabilmente in lib/hooks/cors o simile). Rivedi la documentazione e i test esistenti per il CORS per route per comprendere il comportamento previsto. Controlla se esiste un problema noto con il modo in cui l'array allowOrigins viene elaborato rispetto ai valori stringa. La correzione probabilmente implica garantire che le impostazioni CORS per route sovrascrivano correttamente quelle globali.
Tech stack
javascriptnodejs
Dominio
backendapi
Tipo issue
Bug
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
3
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
Mezza giornata
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
Datata
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
Chiara
Prerequisiti
Basic JavaScriptNode.jsSails frameworkCORS concepts
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
40