Access-control-allow-origin. Bug or....?

[gjabelAmbitas]

Have serve-api app and frontend app.

I set access-control-allow-origin on server - development / localhost:3002.

Also i have set app.register(require('fastify-cors'), { origin:true, });

But if i make request from development frontend site with fetch api (localhost on other port 3001)
with post method, chrome says:

Access to fetch at 'http://localhost:3002/login' from origin 'http://localhost:3001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

But if i make GET request, it works..
Some advice how to solve this?
Thanks!

[cemremengu]

On top off my head can you try

app.register(require('fastify-cors'), { origin: '*' });

[gjabelAmbitas]

same response....:(

Access to fetch at 'http://localhost:3002/login' from origin 'http://localhost:3001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[gjabelAmbitas]

but i forgot mentioned that when i use postman for testing API, it works!

[cemremengu]

If it doesnt work only for POST method, you can try including it in Access-Control-Allow-Methods

[gjabelAmbitas]

Doent work too...
but its definetely problem with fastify becouse on simple express app it works!

Here simple express app:

const express = require('express')
const app = express()
const port = 3003
app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Access-Control-Allow-Origin, Cache-Control");
    // res.json({data: [1,2,3,4]})
    next()
  });
app.post('/api/v1/login', (req, res) =>   {

    res.json({data: [1,2,3,4]})
    next()
})

app.listen(port, () => console.log(`Example app listening on port ${port}!`))

So how to implement this on fastify???

[gjabelAmbitas]

ok. fast-cors doesnt work, i found the way how to avoid allow-origin error:

When i try to set header via
fastify.use(function(req, res, next) { reply.header("Access-Control-Allow-Origin", "*"); reply.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Access-Control-Allow-Origin, Cache-Control"); next() });
or via
fastify.addHook('onSend', (request, reply, payload, next) => { console.log('KKTKO') reply.header("Access-Control-Allow-Origin", "*"); reply.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Access-Control-Allow-Origin, Cache-Control"); // // res.json({data: [1,2,3,4]}) // res.send('hello') next() })

But after that i got response error like this:
error: "Bad Request"
message: "Unexpected end of JSON input"
statusCode: 400.

Again -- in postman its works normally

[mcollina]

Can you please:

a) include a full application that demonstrate the problem
b) a clear description of what you are trying to achieve
c) simple steps to reproduce the problem

---

Very likely this is a bug in https://github.com/fastify/fastify-cors.

[gjabelAmbitas]

ok. Here is full code of simple application where first part is express.js simple app which is working. And second uncommented part is fastify part which doesnt work on any POST requests. GET method work fine as well.

`// const express = require('express')
// const app = express()
// const port = 3002
// app.use(function(req, res, next) {
// res.header("Access-Control-Allow-Origin", "*");
// res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Access-Control-Allow-Origin, Cache-Control");
// // res.json({data: [1,2,3,4]})
// next()
// });
// app.post('/api/v1/users/login', (req, res) => {

// res.json({data: [1,2,3,4]})

// })

const fastify = require('fastify')({
// logger: true
})
fastify.register(require('fastify-cors'), {
"origin": '',
"methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"preflightContinue": true,
"optionsSuccessStatus": 201
})
fastify.addHook('onSend', (request, reply, payload, next) => {
reply.header("Access-Control-Allow-Origin", "");
reply.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Access-Control-Allow-Origin, Cache-Control");
next()
})

fastify.post('/api/v1/users/login', async (request, reply) => {
return {
data: [1, 2, 3, 4]
}
})

fastify.listen(3002, (err, address) => {
if (err) throw err
fastify.log.info(server listening on ${address})
})`
.

Both apps works in Postman, but if i try it via frontend app (Fetch, chrome) fastify failed.
Thanks for help!

[mcollina]

How are you sending POST requests?

[gjabelAmbitas]

` let headers = {
method: obj.method ? obj.method.toUpperCase() : 'GET',
headers: {
"Access-Control-Allow-Origin":"*",
'Cache-Control': 'no-cache',
'Content-Type': 'application/json'
},
}
console.log(obj.url,headers)
fetch(obj.url, headers)
.then((response) => {
respo_.status = response.status;

            response.json()
                .then((responseJson) => {

                    respo_.data = responseJson;
                    respo_.success = true;
                    resolve(respo_)
                }).catch(error => {`

...

Frome chrome Netwok tab:

[mcollina]

If you are sending a POST with content-type JSON, you have to provide a body. A JSON is at least 2 bytes.

We should probably provide a better error mesage for this case.

[gjabelAmbitas]

Ok, it works.
I used query params instead of body params. Thanks for help!

[cemremengu]

@mcollina error message or set request body to {} if it is empty?