Request header field fiware-service is not allowed by Access-Control-Allow-Headers in preflight response.

[ghost]

Hi,

I have an issue with cors when making calls to Fiware Orion.

The version of Fiware Orion.

"orion" : {
  "version" : "1.13.0-next",
  "uptime" : "7 d, 1 h, 8 m, 30 s",
  "git_hash" : "ae72acf9e8eeaacaf4eb138f7de37bfee4514c6b",
  "compile_time" : "Fri May 4 10:12:18 UTC 2018",
  "compiled_by" : "root",
  "compiled_in" : "1901fd6bb51a",
  "release_date" : "Fri May 4 10:12:18 UTC 2018",
  "doc" : "https://fiware-orion.readthedocs.org/en/master/"
}
}

Error problem,

Access to XMLHttpRequest at 'http://xxxx/v2/op/update' from origin 'xxxx' has been blocked by CORS policy: Request header field fiware-service is not allowed by Access-Control-Allow-Headers in preflight response.

Example of code used:

`(function($) {
    function getToken() {
        $.ajax({
            method: 'POST',
            url: 'http://xxx/oauth2/token',
            type: 'json',
            data: {
                grant_type: 'password',
                username: 'XXXX',
                password: 'XXXX',
                client_id: '3bb5a3ee06854161a05bfdcdeab7c1cf',
                client_secret: '82e2f867b9db441ea0dd3659e05cbdcc'
            },
            headers: {
                authorization: 'Basic M2JiNWEzZWUwNjg1NDE2MWEwNWJmZGNkZWFiN2MxY2Y6ODJlMmY4NjdiOWRiNDQxZWEwZGQzNjU5ZTA1Y2JkY2M=',
                'Content-type': 'application/x-www-form-urlencoded'
            },
            success: function(data) {
                console.log('Token received!');

                postData(data.token);
            },
            error: function() {
                console.log('Could not get token!');
            }
        });
    }`
` function postData(authToken) {
        $.ajax({
            method: 'POST',
            url: 'http://xxxx/v2/op/update',
            type: 'json',
            data: {
                grant_type: 'password',
                username: 'xxxx',
                password: 'xxxx',
                client_id: '3bb5a3ee06854161a05bfdcdeab7c1cf',
                client_secret: '82e2f867b9db441ea0dd3659e05cbdcc'
            },
            headers: {
                'X-Auth-Token': authToken,
                'Content-type': 'application/json',
                'Fiware-Service': 'xxx',
                'Fiware-ServicePath': 'xxxx'
            },
            success: function(data) {
                console.log('Data posted!');

                console.log(data);
            },
            error: function() {
                console.log('Could not post data!');
            }
        });

    }

    getToken();
})(jQuery);`

Sorry for bad code format. Can you tell me what is happening because I have cors enabled and had no issue on my current version of Orion until this type of call that comes from the browser?

[fgalan]

(I have formatted your code a bit)

How do you run Orion? Typically the output of the ps ax | grep contextBroker command.

By the way, your Orion version is pretty old (1.13.0, released almost a year ago). It would be wise to upgrade to a newer one (latest at this moment is 2.2.0).

[ghost]

Hi, fgalan,

Yes, version is old, there was busy period od project so I had no time to check if swapping versions would make any difference in sending data, subscriptions etc... We are definitely going to upgrade version at least on the test environment.

I run Orion using docker compose, most important is command option:
command: -dbhost mongo -https -key /localhost.key -cert /localhost.pem -logLevel INFO -corsOrigin __ALL
This is what we use when starting Orion.
This is picture of command you mentioned inside the running container

Do you think version could have some role in this, I also check some of your responses in Stack regarding the same problem but they are old and suggested use of the proxy for communication with Orion.

[fgalan]

I'm not an expert in CORS but reading at https://fiware-orion.readthedocs.io/en/master/user/cors/index.html#access-control-allow-headers it seems that fiware-service is included in the list:

Access-Control-Allow-Headers: Content-Type, Fiware-Service, Fiware-Servicepath, Ngsiv2-AttrsFormat, Fiware-Correlator, X-Forwarded-For, X-Real-IP, X-Auth-Token

Maybe it could be related with case (fiware-service vs. Fiware-Service)? It shouldn't becuase HTTP headers are case insensitive by definition, but...

Another question: is this happening only with POST /v2/op/update? Or other NGSIv2 are also complaining about fiware-service header?

CC: @McMutton (as implementer of the CORS part maybe he can bring some ligth into this issue)

[ghost]

I try a post with v2/entities and got the exact same response. Anyway until we have more info on this I will try to make some connector/proxy to send data to Orion.

[cgillions]

+1

I get the same issue with a GET request to /v2/entities:
https://stackoverflow.com/questions/57491353/context-broker-preflight-options-request

[fgalan]

I can try to reproduce the problem. In order to do that I'll need the exact request that is causing the response (ideally the curl command to run). Could you provide that information, please?

[cgillions]

When the request is made from the browser, it sends a pre-flight OPTIONS HTTP request to the CB to check, for example, what headers the CB endpoint accepts. This HTTP method is not allowed.

curl -X OPTIONS http://xxx.xxx.xxx.xxx:1026/v2/entities
{"error":"MethodNotAllowed","description":"method not allowed"}

This results in browsers being unable to communicate with the CB, even though CORS is enabled.

[fgalan]

I did the following test. Orion runs this way:

contextBroker -fg -corsOrigin __ALL

I do the following curl:

$ curl -vvvv -X OPTIONS http://localhost:1026/v2/entities

The response I get is 200 OK

* Hostname was NOT found in DNS cache
*   Trying ::1...
* Connected to localhost (::1) port 1026 (#0)
> OPTIONS /v2/entities HTTP/1.1
> User-Agent: curl/7.38.0
> Host: localhost:1026
> Accept: */*
> 
< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Content-Length: 0
< Fiware-Correlator: 11d61050-be8b-11e9-86ac-000c29173617
< Date: Wed, 14 Aug 2019 12:00:12 GMT
< 
* Connection #0 to host localhost left intact

But maybe I'm not running Orion the same way. Could you confirm how do you run it (i.e. ps ax | grep contextBroker)?

[cgillions]

Sure, our instance is started using this command:

/usr/bin/contextBroker -port 1026 -logDir /var/log/contextBroker -pidpath /var/run/contextBroker/contextBroker.pid -dbhost localhost -db orion -corsOrigin __ALL -multiservice -logAppend

For added info, it's version 1.7.0

[fgalan]

@cgillions the version you are using is pretty old and the OPTIONS header is not supported. OPTIONS header support was included around version 1.13.0.

Thus, the solution is easy: update Context Broker. I'd recommend you to do it to the most recent version at this moment (i.e. 2.2.0).

[fgalan]

I think the problem reported by @cgillions is solved with my last comment but with regards to the original problem described in the body of the issue, @IgorDespot could provide the exact request that is causing the response (ideally the curl command to run), please?