Hapi: Problem with missing Access-Control-Request-Method header

Created on 15 Jun 2016  ·  5Comments  ·  Source: hapijs/hapi

Hi! I to create simple server for test:

const hapi = require('hapi');
let server = new hapi.Server({
    connections: {
        routes: {
            cors: true
        }
    }
});

server.route({ method: 'GET', path: '/', handler: function (request, reply) { return reply('ok'); } });
server.start();

And send OPTIONS request with Access-Control-Request-Method: GET header. Hapi return me error like:

{
    "statusCode": 404,
    "error": "Not Found",
    "message": "CORS error: Missing Access-Control-Request-Method header"
}

Here I see the checking the header https://github.com/hapijs/hapi/blob/master/lib/cors.js#L94
but header is undefined. Why? May be filtered it before?

hapi version: 13.4.1

non issue
Source
picture andkazakov
👍1

All 5 comments

Can you show us the request along with header information that is being sent to hapi server?

keerthivasan-r picture keerthivasan-r on 16 Jun 2016

Hi there, I seem to be getting the same error in 13.4.1, used within a larger module (serverless-offline).

Raw Request for the OPTION call:

Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8,ro;q=0.6
Access-Control-Request-Headers:authorization, content-type
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Host:localhost:3000
Origin:https://localhost:8080
Pragma:no-cache
Referer:https://localhost:8080/login
User-Agent:Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1

Raw Response for OPTION (Allow-Origin is set to '*' by serverless-offline by default ):

HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: no-cache
vary: accept-encoding
content-encoding: gzip
Date: Wed, 22 Jun 2016 13:27:33 GMT
Connection: keep-alive
Transfer-Encoding: chunked

Then, sending this POST request via Postman:

OPTIONS /api/auth HTTP/1.1
Host: localhost:3000
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization, content-type
Cache-Control: no-cache
Postman-Token: 5a6cf73e-9a64-31be-b83f-591d3721424b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

results in:

{
  "statusCode": 404,
  "error": "Not Found",
  "message": "CORS error: Missing Access-Control-Request-Method header"
}

Any ideas? I'll try rolling back to a previous version of Hapi, since everything was working just fine a few days ago and I made no changes to the code, other than a clean npm install.

andreipopovici picture andreipopovici on 22 Jun 2016
👍1

@andreipopovici I haven't looked at the hapi implementation but I can tell you that the Postman OPTIONS request is _not_ a proper preflight request.

Section 7.1.5 of the CORS spec says that a valid preflight request must exclude any headers listed in the Access-Control-Request-Headers header from the OPTIONS request. In this case, you have failed to exclude the content-type header.

kanongil picture kanongil on 22 Jun 2016
👍1

@kanongil You're right, that's a miss on Postman's part.

Either way, the CORS issue went away completely (even in Postman) when I downgraded to [email protected], FWIW.

andreipopovici picture andreipopovici on 22 Jun 2016

Correction, there seems to be an issue unrelated to [email protected]. It works fine with a previous version of [email protected]. We'll take a look at the CORS default settings over there, just wanted to confirm that my issue is probably not related to the OP's.

andreipopovici picture andreipopovici on 23 Jun 2016
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

leore picture leore  ·  3Comments
shamsher31 picture shamsher31  ·  5Comments
jeffbski picture jeffbski  ·  5Comments
taoeffect picture taoeffect  ·  3Comments
AdriVanHoudt picture AdriVanHoudt  ·  5Comments