CORS 'Access-Control-Allow-Origin' does not present in header

[tleperou]

I cope with a CORS issue when I request a POST to '/oauth/token' from my local ember client.

"XMLHttpRequest cannot load http://localhost:1337/oauth/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access."

However I set config/cors.js to accept '*' origin.

Another API running on Sails 0.10 with same cors.js config returns right headers.

How this could be, why Sails does not return this header, any idea?

[lucj]

In config/cors.js, have you also set the header part ?

On Thu, Nov 12, 2015 at 5:25 PM, lst2 notifications@github.com wrote:

I cope with a CORS issue when I request a POST to '/oauth/token' from my
local ember client.

"XMLHttpRequest cannot load http://localhost:1337/oauth/token. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:4200' is therefore not allowed access."

However I set config/cors.js to accept '*' origin.

Another API running on Sails 0.10 with same cors.js config returns right
headers.

How this could be, why Sails does not return this header, any idea?

—
Reply to this email directly or view it on GitHub
#12.

Luc Juggery - https://about.me/lucjuggery

[tleperou]

Actually the request's response against oauth/token is made fom password.js of oauth2orize node module dependency which set headers itself, disregarding Sails CORS config.

//! oauth2orize/lib/exchange/password.js
function issued(err, accessToken, refreshToken, params) {
// [...]
  res.setHeader('Content-Type', 'application/json');
  res.setHeader('Access-Control-Allow-Origin', '*');
  res.setHeader('Cache-Control', 'no-store');
  res.setHeader('Pragma', 'no-cache');
  res.end(json);
}

try {
  var arity = issue.length;
  if (arity == 6) {
    issue(client, username, passwd, scope, req.body, issued);
  } else if (arity == 5) {
    issue(client, username, passwd, scope, issued);
  } else { // arity == 4
    issue(client, username, passwd, issued);
  }
} catch (ex) {
  return next(ex);
}

In my case, I've modified oauth2orize/lib/exchange/password.js to make it match with specific headers needs. It is not a reliable solution.

Do we should use a way to apply Sails config to oauth2orize response request ? That sounds better.

[davoscript]

In this case, the response is being handled by express directly in the config/oauth2.js (I presume without using the Sails configuration (config/cors.js); so in order to achieve this without modifying oauth2authorize source you can do this:

In config/oauth2.js:

// Initialize passport
app.use(passport.initialize());
app.use(passport.session());

// Set CORS here
app.use(function(req, res, next) {
      res.header("Access-Control-Allow-Origin", "*");
      res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
      next();
});