https://cerbos.dev logo
Join Slack
Powered by
Hi everyone - I'm running into a CORS issue with a...
# community
j
Hi everyone - I'm running into a CORS issue with accessing my local Cerbos service from an Angular app. When I am making calls to my Cerbos service (both with the node SDK and a general 
post
request), I'm getting the following error:
Copy code
Access to XMLHttpRequest at '<http://localhost:4120/api/check>' from origin '<http://localhost:4200>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
http://localhost:4200 is my angular app, http://localhost:4120/ is my Cerbos server. While reading through the Cerbos docs, it looks like CORS should be enabled by default. I also tried setting up a proxy (similar to this) to route http://localhost:4200/proxy/api/check -> http://localhost:4120/api/check, but when I do that, I get a connection refused:
Copy code
[webpack-dev-server] [HPM] Error occurred while proxying request localhost:4200/api/server_info to <http://localhost:4120/> [ECONNREFUSED] (<https://nodejs.org/api/errors.html#errors_common_system_errors>)
Any thoughts?
a
Hey - can you share you config file for Cerbos?
j
Sure thing!
Copy code
---
server:
  httpListenAddr: ":4120"
  adminAPI:
    enabled: true
    adminCredentials:
      username: cerbos
      passwordHash: JDJ5JDEwJGI5d2k0QWNxT0RsSzFib1A2T0M1WXVzRC5pcHprTlFaMWxzVno0ZFB6MllmSlFwY29ycXFhCgo=
storage:
  driver: "postgres"
  postgres:
    url: "<postgresql://cerbos_user:[password]@localhost:5432/Cerbos?sslmode=disable&search_path=cerbos>"
    connPool:
      maxLifeTime: 5m
      maxIdleTime: 3m
      maxOpen: 10
      maxIdle: 5
Also, my 
get
request to 
<http://localhost:4120/api/server_info>
returns a valid response.
a
That looks ok - do you have an example of a 
/api/check
request I can use to try and replicate? You can right-click the failing call in Chrome devtools and ‘copy as cURL’
The usually happens when extra headers are added by whatever is sending the POST request. You should be able to see this in the request in DevTools then add it to the 
allowedHeaders
config: https://docs.cerbos.dev/cerbos/latest/configuration/server.html#_cors
j
Copy code
curl '<http://localhost:4120/api/check>' \
  -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"' \
  -H 'Referer: <http://localhost:4200/>' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'Content-Type: application/json' \
  --data-raw '{"requestId":"095b8b64-9524-4cea-8b82-a9efc54b4576","principal":{"policyVersion":"default","id":"123","roles":["admin"],"attr":{}},"resource":{"policyVersion":"default","kind":"user","instances":{"test_admin":{"attr":{}}}},"actions":["create","read","update","delete"]}' \
  --compressed
^^ this was from using the Node sdk
Copy code
const cerbosEngine = new Cerbos(hostname);

const authorization = await cerbosEngine.check(data);
a
Thanks - just running a few checks. There are a few extra headers that chrome must be adding.
j
Thank you!
Do you mean like the 
sec-ch-ua
, 
sec-ch-ua-mobile
, etc?
a
yup
j
Excellent, that works now. Thanks for the help!
a
Great!
j
I added in all of the extra headers like so:
Copy code
cors:
    allowedHeaders:
      - Content-Type
      - Referer
      - sec-ch-ua
      - sec-ch-ua-mobile
      - sec-ch-ua-platform
      - User-Agent
and then retried the SDK call 
cerbosEngine.check(data)
and can see the 200 response in Chrome DEV tools
a
Great!
Everything working as expected now?
j
My 
GET
and 
POST
requests look good. Going to try out a 
PUT
request to try to add in some rules.
@Alex Olivier (Cerbos) - should 
PUT
requests work the same way? With the following request, I'm getting the same CORS error (with 
<http://localhost:4120/admin/policy>
as the url):
Copy code
curl '<http://localhost:4120/admin/policy>' \
  -X 'PUT' \
  -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Referer: <http://localhost:4200/>' \
  -H 'Content-Type: application/json' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --data-raw '{"policies":[{"apiVersion":"api.cerbos.dev/v1","resourcePolicy":{"version":"default","resource":"user","rules":[{"roles":["admin"],"actions":["*"],"effect":"EFFECT_ALLOW"},{"roles":["user"],"actions":["create","read"],"effect":"EFFECT_ALLOW"}]}}]}' \
  --compressed
my config file has these allowed headers:
Copy code
cors:
    allowedHeaders:
      - Content-Type
      - Referer
      - sec-ch-ua
      - sec-ch-ua-mobile
      - sec-ch-ua-platform
      - User-Agent
      - Accept
c
I think PUT is not allowed by the CORS handler we have. We'll fix that in the upcoming release which is due next week.
j
Ok got it, thanks so much!
c
Hi, Cerbos 0.15.0 was released today and it contains the fix for allowing PUT.
j
Cool, thanks Charith!
🙇 1
19 Views
Open in Slack
PreviousNext
Powered by