Nest: [Bug] CORS keep sending with origin:true *

Created on 21 Feb 2019  路  8Comments  路  Source: nestjs/nest

I'm submitting a...


[ ] Regression 
[x] Bug report
[ ] Feature request
[ ] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Expected behavior


I added app.enableCors({ origin: true }); to application startup script and expected framework to send back headers with access-control-allow-origin: example.com when requesting with Origin: http://example.com header.
Same thing happens even if i specify app.enableCors({ origin: 'example.com' });.

Current behavior


After adding app.enableCors({ origin: true }); system always returns access-control-allow-origin: *
After deep debugging i findout that system writes correct headers first and later re-writes with *. (i used console.log in cors module).

Minimal reproduction of the problem with instructions


Just try to enable CORS with origin: true and check response headers.

What is the motivation / use case for changing the behavior?


Original problem comes from incorrect behavior on iOS devices when they start saying that CORS not allowed on POST requests. After research some SO and Google it looks like for iOS you have to specify domain in order to properly work.

Environment


Nest version: 5.4.0


For Tooling issues:
- Node version: v11.8.0  
- Platform: Mac, Linux (CentOS) 

Others:

- Main tests run with GraphQL on (whole product based on it)
picture Alex-Bond

Most helpful comment

Since you are using GraphQL, I suppose that your issue is related to this one https://github.com/apollographql/apollo-server/issues/1142

You should probably pass options here instead:

GraphQLModule.forRoot({
   cors: {}, // pass options here
})
picture kamilmysliwiec on 26 Feb 2019
👍6

All 8 comments

Since you are using GraphQL, I suppose that your issue is related to this one https://github.com/apollographql/apollo-server/issues/1142

You should probably pass options here instead:

GraphQLModule.forRoot({
   cors: {}, // pass options here
})
kamilmysliwiec picture kamilmysliwiec on 26 Feb 2019
👍6

@kamilmysliwiec thank you! It works now. Probably need to that to documentation.

Alex-Bond picture Alex-Bond on 26 Feb 2019

Cannot for the life of me get cors enabled. I have added it in the main.ts

async function bootstrap() {
  const app = await NestFactory.create(AppModule);
  const options = {
    origin: '*',
    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
    preflightContinue: true,
    optionsSuccessStatus: 204,
    credentials: true,
  };
  app.enableCors(options);
  await app.listen(3000);
}
bootstrap();

and the app module:

@Module({
  imports: [
    GraphQLModule.forRoot(
      {
        typePaths: ['./**/*.graphql'],
        cors: {
          origin: '*',
          methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
          preflightContinue: true,
          optionsSuccessStatus: 204,
          credentials: true,
        },
        path: '/',
        context: ({ req }) => ({ req }),
        installSubscriptionHandlers: true,
        resolverValidationOptions: {
          requireResolversForResolveType: false,
        },
        playground: true,
        definitions: {
          path: join(process.cwd(), 'src/graphql.schema.d.ts'),
          outputAs: 'class',
        },
      },
    ),
    PrismaModule,
  ],
  providers: [],
})
export class AppModule {
}

None of this has any affect, and I am still getting a cors error on my angular front end

oliverandersencox picture oliverandersencox on 10 Apr 2019
👍3

@kamilmysliwiec
please mention graphql cors configuration in [cors] config section

smmoosavi picture smmoosavi on 29 Apr 2019

Same issue, I can't get CORS set to '*' to work

tskweres picture tskweres on 11 Sep 2019

Came across this after spending a few hours trying to figure out for the life of me why CORS was enabled even though I wasn't calling app.enableCors().

@Alex-Bond @kamilmysliwiec This really needs to either be added to the documentation, or disabled by default so CORS is only enabled via app.enableCors() as is expected.

rshea0 picture rshea0 on 19 Nov 2019

Try it with regex:

app.enableCors({
    origin: [
      /^(.*)/,
    ],
    methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
    preflightContinue: false,
    optionsSuccessStatus: 200,
    credentials: true,
    allowedHeaders:
      'Origin,X-Requested-With,Content-Type,Accept,Authorization,authorization,X-Forwarded-for',
  })

Thoughts: when you use '*' it doesn't work. Maybe not supported or bug, dunno... But when you use regex, it tries to match your given domain and it simply returns true as if it was fully declared in the origins array. 馃

vygandas picture vygandas on 11 Jan 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 15 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tronginc picture tronginc  路  3Comments
mishelashala picture mishelashala  路  3Comments
JulianBiermann picture JulianBiermann  路  3Comments
janckerchen picture janckerchen  路  3Comments
marshall007 picture marshall007  路  3Comments