https://cerbos.dev logo
Powered by
#community
Title
# community
j

Jake Hazelke

03/31/2022, 2:34 PM
Hi everyone - I'm running into a CORS issue with accessing my local Cerbos service from an Angular app. When I am making calls to my Cerbos service (both with the node SDK and a general 
post
request), I'm getting the following error:
Copy code
Access to XMLHttpRequest at '<http://localhost:4120/api/check>' from origin '<http://localhost:4200>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
http://localhost:4200 is my angular app, http://localhost:4120/ is my Cerbos server. While reading through the Cerbos docs, it looks like CORS should be enabled by default. I also tried setting up a proxy (similar to this) to route http://localhost:4200/proxy/api/check -> http://localhost:4120/api/check, but when I do that, I get a connection refused:
Copy code
[webpack-dev-server] [HPM] Error occurred while proxying request localhost:4200/api/server_info to <http://localhost:4120/> [ECONNREFUSED] (<https://nodejs.org/api/errors.html#errors_common_system_errors>)
Any thoughts?
a

Alex Olivier (Cerbos)

03/31/2022, 2:37 PM
Hey - can you share you config file for Cerbos?
j

Jake Hazelke

03/31/2022, 2:44 PM
Sure thing!
Copy code
---
server:
  httpListenAddr: ":4120"
  adminAPI:
    enabled: true
    adminCredentials:
      username: cerbos
      passwordHash: JDJ5JDEwJGI5d2k0QWNxT0RsSzFib1A2T0M1WXVzRC5pcHprTlFaMWxzVno0ZFB6MllmSlFwY29ycXFhCgo=
storage:
  driver: "postgres"
  postgres:
    url: "<postgresql://cerbos_user:[password]@localhost:5432/Cerbos?sslmode=disable&search_path=cerbos>"
    connPool:
      maxLifeTime: 5m
      maxIdleTime: 3m
      maxOpen: 10
      maxIdle: 5
Also, my 
get
request to 
<http://localhost:4120/api/server_info>
returns a valid response.
a

Alex Olivier (Cerbos)

03/31/2022, 2:52 PM
That looks ok - do you have an example of a 
/api/check
request I can use to try and replicate? You can right-click the failing call in Chrome devtools and ‘copy as cURL’
The usually happens when extra headers are added by whatever is sending the POST request. You should be able to see this in the request in DevTools then add it to the 
allowedHeaders
config: https://docs.cerbos.dev/cerbos/latest/configuration/server.html#_cors
j

Jake Hazelke

03/31/2022, 2:58 PM
Copy code
curl '<http://localhost:4120/api/check>' \
  -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"' \
  -H 'Referer: <http://localhost:4200/>' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'Content-Type: application/json' \
  --data-raw '{"requestId":"095b8b64-9524-4cea-8b82-a9efc54b4576","principal":{"policyVersion":"default","id":"123","roles":["admin"],"attr":{}},"resource":{"policyVersion":"default","kind":"user","instances":{"test_admin":{"attr":{}}}},"actions":["create","read","update","delete"]}' \
  --compressed
^^ this was from using the Node sdk
Copy code
const cerbosEngine = new Cerbos(hostname);

const authorization = await cerbosEngine.check(data);
a

Alex Olivier (Cerbos)

03/31/2022, 3:04 PM
Thanks - just running a few checks. There are a few extra headers that chrome must be adding.
j

Jake Hazelke

03/31/2022, 3:05 PM
Thank you!
Do you mean like the 
sec-ch-ua
, 
sec-ch-ua-mobile
, etc?
a

Alex Olivier (Cerbos)

03/31/2022, 3:06 PM
yup
j

Jake Hazelke

03/31/2022, 3:14 PM
Excellent, that works now. Thanks for the help!
a

Alex Olivier (Cerbos)

03/31/2022, 3:14 PM
Great!
j

Jake Hazelke

03/31/2022, 3:15 PM
I added in all of the extra headers like so:
Copy code
cors:
    allowedHeaders:
      - Content-Type
      - Referer
      - sec-ch-ua
      - sec-ch-ua-mobile
      - sec-ch-ua-platform
      - User-Agent
and then retried the SDK call 
cerbosEngine.check(data)
and can see the 200 response in Chrome DEV tools
a

Alex Olivier (Cerbos)

03/31/2022, 3:16 PM
Great!
Everything working as expected now?
j

Jake Hazelke

03/31/2022, 3:18 PM
My 
GET
and 
POST
requests look good. Going to try out a 
PUT
request to try to add in some rules.
@Alex Olivier (Cerbos) - should 
PUT
requests work the same way? With the following request, I'm getting the same CORS error (with 
<http://localhost:4120/admin/policy>
as the url):
Copy code
curl '<http://localhost:4120/admin/policy>' \
  -X 'PUT' \
  -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Referer: <http://localhost:4200/>' \
  -H 'Content-Type: application/json' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --data-raw '{"policies":[{"apiVersion":"api.cerbos.dev/v1","resourcePolicy":{"version":"default","resource":"user","rules":[{"roles":["admin"],"actions":["*"],"effect":"EFFECT_ALLOW"},{"roles":["user"],"actions":["create","read"],"effect":"EFFECT_ALLOW"}]}}]}' \
  --compressed
my config file has these allowed headers:
Copy code
cors:
    allowedHeaders:
      - Content-Type
      - Referer
      - sec-ch-ua
      - sec-ch-ua-mobile
      - sec-ch-ua-platform
      - User-Agent
      - Accept
c

Charith (Cerbos)

03/31/2022, 4:05 PM
I think PUT is not allowed by the CORS handler we have. We'll fix that in the upcoming release which is due next week.
j

Jake Hazelke

03/31/2022, 4:26 PM
Ok got it, thanks so much!
c

Charith (Cerbos)

04/04/2022, 7:58 AM
Hi, Cerbos 0.15.0 was released today and it contains the fix for allowing PUT.
j

Jake Hazelke

04/04/2022, 1:37 PM
Cool, thanks Charith!
🙇 1
16 Views
Powered by