cors headers not set when access-control-request-headers is set

[kevinsimper]

Prerequisites

• I am running the latest version. (up upgrade)
• I searched to see if the issue already exists.
• I inspected the verbose debug output with the -v, --verbose flag.
• Are you an Up Pro subscriber?

Description

When the access-control-request-headers header is set the CORS headers are not returned and therefore CORS breaks in javascript. The first example is my localhost, the second is without the headers that they browsers send, and the third is to simulate the browsers header.

$ http OPTIONS :3001/graphql access-control-request-headers:'authorization,content-type' access-control-request-method:'POST'
HTTP/1.1 204 No Content
Access-Control-Allow-Headers: authorization,content-type
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 0
Date: Mon, 14 May 2018 21:08:51 GMT
Vary: Access-Control-Request-Headers
X-Powered-By: Express



😸🐳 ~/Projects/hackyourfuture.dk/backend []
$ http OPTIONS https://tdla96bnzi.execute-api.eu-central-1.amazonaws.com/production/graphql
HTTP/1.1 204 No Content
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf8
Date: Mon, 14 May 2018 21:09:01 GMT
Vary: Access-Control-Request-Headers
Via: 1.1 8021f954d329869476f935f2fb14e66e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FnBeQsgK3XQnphHHLf8yg9e5u8_4JrW4UfcZEaPqvS0tqe8V48yjHA==
X-Amzn-Trace-Id: Root=1-5af9faec-0cc41d6041fed78a87af1d40
X-Cache: Miss from cloudfront
X-Powered-By: Express
x-amz-apigw-id: G5Qk5HKzliAFulw=
x-amzn-Remapped-Content-Length: 0
x-amzn-Remapped-Date: Mon, 14 May 2018 21:09:01 GMT
x-amzn-RequestId: 05b5c745-57bb-11e8-9814-3dd6fbbd2744



😸🐳 ~/Projects/hackyourfuture.dk/backend []
$ http OPTIONS https://tdla96bnzi.execute-api.eu-central-1.amazonaws.com/production/graphql access-control-request-headers:'authorization,content-type' access-control-request-method:'POST'
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf8
Date: Mon, 14 May 2018 21:09:16 GMT
Vary: Access-Control-Request-Headers
Via: 1.1 8bdae94273544c8186e20a3c31375f99.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 7O4kJVY-EdvFvfoVpjCraHsShbfaPcVc6e6lIN0FhhVLslQiOWeLgQ==
X-Amzn-Trace-Id: Root=1-5af9fafc-3b67a2a43dcfdfc6fb60ef46
X-Cache: Miss from cloudfront
x-amz-apigw-id: G5QnbE3JliAFaww=
x-amzn-RequestId: 0f5ddb2a-57bb-11e8-b515-dde370b38be0

curl 'https://tdla96bnzi.execute-api.eu-central-1.amazonaws.com/production/graphql' -X OPTIONS -H 'pragma: no-cache' -H 'access-control-request-headers: authorization,content-type' -H 'access-control-request-method: POST' -H 'origin: https://hackyourfuture.dk' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36' -H 'accept: */*' -H 'cache-control: no-cache' -H 'authority: tdla96bnzi.execute-api.eu-central-1.amazonaws.com' -H 'referer: https://hackyourfuture.dk/dashboard/' --compressed

[kevinsimper]

I read #649 but my express server does not send a Content-Type for the options request.

I enabled cors: { debug: true, enable: true } and here is the logs:

  May 15th 10:22:23am INFO production ee777f8 starting app: PORT=37105 command=node app.js
  May 15th 10:22:23am INFO production ee777f8 started app: pid=16
  May 15th 10:22:23am INFO production ee777f8 waiting for app to listen on PORT
  May 15th 10:22:24am INFO production ee777f8 Listening on 37105
  May 15th 10:22:25am INFO production ee777f8 app listening: duration=2.119s
  May 15th 10:22:25am INFO production ee777f8 initialized: duration=2.139s
  May 15th 10:22:25am INFO production ee777f8 request: id=17c01163-5819-11e8-8b68-81a75de3b259 ip=83.93.187.177 method=OPTIONS path=/graphql
  May 15th 10:22:25am INFO production ee777f8 response: duration=39ms id=17c01163-5819-11e8-8b68-81a75de3b259 ip=83.93.187.177 method=OPTIONS path=/graphql size=0 B status=200
  May 15th 10:22:25am INFO 2018-05-15T08:22:25.679Z	17c0ad4a-5819-11e8-a6ac-55a9af9527f7	[shim] unexpected non-json line: `[cors] 2018/05/15 08:22:25 Handler: Preflight request`
  May 15th 10:22:25am INFO 2018-05-15T08:22:25.680Z	17c0ad4a-5819-11e8-a6ac-55a9af9527f7	[shim] unexpected non-json line: `[cors] 2018/05/15 08:22:25   Preflight aborted: empty origin`
  May 15th 10:22:25am INFO REPORT RequestId: 17c0ad4a-5819-11e8-a6ac-55a9af9527f7	Duration: 2330.19 ms	Billed Duration: 2400 ms 	Memory Size: 512 MB	Max Memory Used: 61 MB
  May 15th 10:24:36am INFO production ee777f8 request: id=67419cea-5819-11e8-8e96-9f5dbc1b57e7 ip=83.93.187.177 method=OPTIONS path=/login
  May 15th 10:24:36am INFO production ee777f8 response: duration=0s id=67419cea-5819-11e8-8e96-9f5dbc1b57e7 ip=83.93.187.177 method=OPTIONS path=/login size=0 B status=200
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.500Z	6743e75c-5819-11e8-8bfb-1d4902f23e99	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36 Handler: Preflight request`
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.500Z	6743e75c-5819-11e8-8bfb-1d4902f23e99	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36   Preflight response headers: map[Vary:[Accept-Encoding Origin Access-Control-Request-Method Access-Control-Request-Headers] Access-Control-Allow-Origin:[*] Access-Control-Allow-Methods:[POST] Access-Control-Allow-Headers:[Content-Type]]`
  May 15th 10:24:36am INFO REPORT RequestId: 6743e75c-5819-11e8-8bfb-1d4902f23e99	Duration: 18.26 ms	Billed Duration: 100 ms 	Memory Size: 512 MB	Max Memory Used: 61 MB
  May 15th 10:24:36am INFO production ee777f8 request: id=675bdb66-5819-11e8-bdf4-6984ec10250f ip=83.93.187.177 method=POST path=/login size=291 B
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.640Z	675c9edb-5819-11e8-b5f9-bd980eec6d1d	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36 Handler: Actual request`
  May 15th 10:24:36am INFO 2018-05-15T08:24:36.640Z	675c9edb-5819-11e8-b5f9-bd980eec6d1d	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:36   Actual response added headers: map[Vary:[Accept-Encoding Origin] Access-Control-Allow-Origin:[*]]`
  May 15th 10:24:37am INFO production ee777f8 response: duration=852ms id=675bdb66-5819-11e8-bdf4-6984ec10250f ip=83.93.187.177 method=POST path=/login size=489 B status=200
  May 15th 10:24:37am INFO REPORT RequestId: 675c9edb-5819-11e8-b5f9-bd980eec6d1d	Duration: 853.84 ms	Billed Duration: 900 ms 	Memory Size: 512 MB	Max Memory Used: 63 MB
  May 15th 10:24:38am INFO production ee777f8 request: id=685f8fe6-5819-11e8-bda9-03101e565b5e ip=83.93.187.177 method=OPTIONS path=/graphql
  May 15th 10:24:38am INFO production ee777f8 response: duration=0s id=685f8fe6-5819-11e8-bda9-03101e565b5e ip=83.93.187.177 method=OPTIONS path=/graphql size=0 B status=200
  May 15th 10:24:38am INFO 2018-05-15T08:24:38.339Z	685fddfd-5819-11e8-885b-e9c995cc9bde	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:38 Handler: Preflight request`
  May 15th 10:24:38am INFO 2018-05-15T08:24:38.339Z	685fddfd-5819-11e8-885b-e9c995cc9bde	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:38   Preflight aborted: headers '[Authorization Content-Type]' not allowed`
  May 15th 10:24:38am INFO REPORT RequestId: 685fddfd-5819-11e8-885b-e9c995cc9bde	Duration: 1.45 ms	Billed Duration: 100 ms 	Memory Size: 512 MB	Max Memory Used: 63 MB
  May 15th 10:24:45am INFO production ee777f8 request: id=6cacf0ed-5819-11e8-b2e0-c9e5dc9b6bbd ip=83.93.187.177 method=OPTIONS path=/graphql
  May 15th 10:24:45am INFO production ee777f8 response: duration=0s id=6cacf0ed-5819-11e8-b2e0-c9e5dc9b6bbd ip=83.93.187.177 method=OPTIONS path=/graphql size=0 B status=200
  May 15th 10:24:45am INFO 2018-05-15T08:24:45.555Z	6cad3f86-5819-11e8-9229-67363aa6ed38	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:45 Handler: Preflight request`
  May 15th 10:24:45am INFO 2018-05-15T08:24:45.556Z	6cad3f86-5819-11e8-9229-67363aa6ed38	[shim] unexpected non-json line: `[cors] 2018/05/15 08:24:45   Preflight aborted: headers '[Authorization Content-Type]' not allowed`
  May 15th 10:24:45am INFO REPORT RequestId: 6cad3f86-5819-11e8-9229-67363aa6ed38	Duration: 1.69 ms	Billed Duration: 100 ms 	Memory Size: 512 MB	Max Memory Used: 63 MB

Also the examples in the git repo does not cover CORS with POST and authorization header and the graphql example

https://github.com/apex/up-examples/tree/master/oss

[kevinsimper]

Found something that wasn't in the documentation, but was available in the code,

It is not used in any of the examples
https://github.com/apex/up-examples/search?utf8=%E2%9C%93&q=allowed_headers&type=

But I will add one 😄

I would also suggest that allowed_headers starts with a default with Content-Type as the browser adds it by default, as seen in the curl example above.

[tj]

I'll fix the docs, I just noticed the defaults for allowed_headers is incorrect on the site, it's "Origin", "Accept", "Content-Type", "X-Requested-With" by default — and I'll add CORS to the graphql example

[tj]

Fixed the docs to show those defaults and added apex/up-examples@b3339a6

[kevinsimper]

That is awesome, thank you! 👍