Wrong CORS Headers with Cosmos

[Reledia]

Hello,
I set up Hoarder behind cosmos using the latest version, and the service is working fine using OpenRouter too for free inference.
But, when trying to use the chrome extension I get a "Failed to fetch" error. Looking at the cosmos logs, I see:

2024/03/30 15:48:44 "OPTIONS https://***.xyz/api/trpc/apiKeys HTTP/2.0" from 192.168.1.1:40518 - 204 0B in 3.163343ms

when I try to xh the same link I get:

HTTP/2.0 404 Not Found
access-control-allow-credentials: true
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: *.xyz
access-control-allow-origin: *
content-security-policy: frame-ancestors 'self'
content-type: application/json
date: Sat, 30 Mar 2024 15:59:28 GMT
strict-transport-security: max-age=31536000; includeSubDomains
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url
x-content-type-options: nosniff
x-ratelimit-limit: 6000
x-ratelimit-remaining: 86
x-ratelimit-reset: 1711815568
x-served-by-cosmos: 1
x-timeout-duration: 4h0m0s
x-xss-protection: 1; mode=block

{
    "error": {
        "json": {
            "message": "No \"query\"-procedure on path \"apiKeys\"",
            "code": -32004,
            "data": {
                "code": "NOT_FOUND",
                "httpStatus": 404,
                "path": "apiKeys",
                "zodError": null
            }
        }
    }
}

and in the hoarder-web logs I have:

[next-auth][warn][NEXTAUTH_URL] 
https://next-auth.js.org/warnings#nextauth_url
s [TRPCError]: No "query"-procedure on path "apiKeys"
    at m (/app/apps/web/.next/server/chunks/673.js:4826:4202)
    at /app/apps/web/.next/server/app/api/trpc/[trpc]/route.js:1:4251
    at Array.map (<anonymous>)
    at g (/app/apps/web/.next/server/app/api/trpc/[trpc]/route.js:1:4185)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'NOT_FOUND',
  [cause]: undefined
}

The full docker compose for the web app (hiding envs) is:

{
  "services": {
    "Hoarder-WEB": {
      "container_name": "Hoarder-WEB",
      "image": "ghcr.io/mohamedbassem/hoarder-web:latest",
      "environment": [
        ***
      ],
      "labels": {
        "cosmos-auto-update": "true",
        "cosmos-force-network-mode": "cosmos-web-default",
        "cosmos.stack": "web",
        "cosmos.stack.main": "true"
      },
      "ports": [
        "0.0.0.0:8096:3000/tcp",
        ":::8096:3000/tcp"
      ],
      "volumes": [
        {
          "Type": "bind",
          "Source": "/volume1/docker/hoarder/data",
          "Target": "/data"
        }
      ],
      "networks": {
        "cosmos-web-default": {},
        "hoarder": {}
      },
      "routes": null,
      "restart": "on-failure",
      "devices": null,
      "expose": [],
      "depends_on": [],
      "command": "/bin/sh -c (cd /db_migrations && node index.js) && node server.js",
      "entrypoint": "docker-entrypoint.sh",
      "working_dir": "/app/apps/web",
      "user": "root",
      "hostname": "26308f0b7bf2",
      "network_mode": "cosmos-web-default",
      "healthcheck": {
        "test": null,
        "interval": 0,
        "timeout": 0,
        "retries": 0,
        "start_period": 0
      }
    }
  }
}

[MohamedBassem]

What did you use as the server address in the chrome extension? The server address shouldn't contain a trailing slash. It's a bug I fixed and waiting for google to release it.

[MohamedBassem]

To debug this further, I'll need to get the console log of the extension, here's a screen recording of how to do so:

Screen.Recording.2024-03-27.at.10.06.01.PM.mov

[Reledia]

What did you use as the server address in the chrome extension? The server address shouldn't contain a trailing slash. It's a bug I fixed and waiting for google to release it.

Can't debug this as I'm out of home, but the address is of the type https://foo.bar.xyz/

[MohamedBassem]

Yeah, you'll need to try without the trailing slash until the 1.1.1 release of the extension is accepted by google.

[Reledia]

Yeah, you'll need to try without the trailing slash until the 1.1.1 release of the extension is accepted by google.

As soon as I get to try this and confirm I will close the issue, thanks

[Reledia]

I didnt use a trailing slash in the first place, I was mistaken. This is the actual error:

Additionally, my xh command was wrong (I missed the last /). The output is:

>xh https://***.xyz/api/trpc/apiKeys/

HTTP/2.0 308 Permanent Redirect
access-control-allow-credentials: true
access-control-allow-origin: ***.xyz
content-security-policy: frame-ancestors 'self'
date: Sat, 30 Mar 2024 19:29:50 GMT
location: /api/trpc/apiKeys
refresh: 0;url=/api/trpc/apiKeys
strict-transport-security: max-age=31536000; includeSubDomains
x-content-type-options: nosniff
x-ratelimit-limit: 6000
x-ratelimit-remaining: 97
x-ratelimit-reset: 1711828190
x-served-by-cosmos: 1
x-timeout-duration: 4h0m0s
x-xss-protection: 1; mode=block

/api/trpc/apiKeys

[MohamedBassem]

Oh, I think I see the problem. Thanks for sharing the error, this clarified it.

Looking at the headers shared above, I see:

access-control-allow-origin: *.xyz
access-control-allow-origin: *

Which is not what Hoarder typically sends. Hoarder only sends access-control-allow-origin: *. I have never used Cosmos before, but any chance it's screwing up with the CORS settings. For Hoarder, you should typically not configure CORS on cosmos and let the hoarder server set its own headers.

[Reledia]

Thanks for the input!
If anybody else needs help with this, the solutions is the follow:

• go to url setting
• go to the security tab
• set cors origin this way (to an asterisk):
  

Now I can log in, thanks