Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
cors issue
r
Raf
05/05/2023, 6:39 PMQuestion supertokens React SDK:
Does anybody know where the SDK makes the modifications to Access-Control-Request-Headers to add "st-auth-mode"?
I'm not 100% but there might be a bug in there when working with fastapi. Here is my reasoning:
1. I get a 400 on OPTIONS when trying to do a POST. The usual CORS, not allowed blah blah blah
2. FastApi is setup the same way as the recipe: allow_headers=["Content-Type"] + get_all_cors_headers(),
With the above config, fastapi will respond with: Accept, Accept-Language, Content-Language, Content-Type, anti-csrf, authorization, fdi-version, rid, st-auth-mode
but the request came in with: access-control-allow-origin,content-type,rid,st-auth-mode
and the browser blows up with CORS error.
If I use a wild card in fastapi: allow_headers="*", then everything works fine
I'm not super familiar with how this works, can somebody shed some light why this does not work without a wildcard?
r
rp
05/06/2023, 4:55 AMhey @Raf this does not seem like a bug in the sdk, rather an issue with your cors cnfig on the backend - what's the exact cors error on the browser?
r
Raf
05/06/2023, 1:23 PM400 Bad request
r
rp
05/06/2023, 1:25 PMThat seems to be a cors related issue the You might wanna see the docs of the cors lib being used.
r
Raf
05/06/2023, 1:27 PMCORS config on the backend is 100% as in the recipe in the docs:
app = FastAPI()
app.add_middleware(get_middleware())
app.add_middleware(
CORSMiddleware,
allow_origins=[
"http://localhost:4173",
"http://localhost:5173",
"http://0.0.0.0:5173",
"http://192.168.0.17:5173"
],
allow_credentials=True,
allow_methods=["GET", "PUT", "POST", "DELETE", "OPTIONS", "PATCH"],
allow_headers=["Content-Type"] + get_all_cors_headers(),
)but this works perfectly fine:
app.add_middleware(
CORSMiddleware,
allow_origins=[
"http://localhost:4173",
"http://localhost:5173",
"http://0.0.0.0:5173",
"http://192.168.0.17:5173"
],
allow_credentials=True,
allow_methods=["GET", "PUT", "POST", "DELETE", "OPTIONS", "PATCH"],
allow_headers=["*"],
)and with the recipe config, it's only the OPTIONS on a POST request that fails
r
rp
05/06/2023, 1:30 PMSo it’s get_all_cors_headers that’s causing it to fail?
r
Raf
05/06/2023, 1:40 PMlooks like it
what I think is happening is that when a wildcard is used in fastapi, the server just takes whatever the client sent and sends it back as accepted-headers and everything works
I'm still looking through the code base to see if there is any other lib that might be adding any type of axios defaults that might be messing this up from the client side
r
rp
05/06/2023, 2:10 PMRight. I’m not sure why this could be happening. Have you tried our demo app using the CLI? That works as expected. Maybe see the differences between that and your app
r
Raf
05/06/2023, 5:10 PMI found the culprit. There was a leftover code from trying some of the lib:
axios.defaults.headers['Content-type'] = 'application/json';
axios.defaults.headers.post['Access-Control-Allow-Origin'] = '*';
r
rp
05/06/2023, 5:10 PMRight! That’s great
r
Raf
05/06/2023, 5:10 PMSorry for waisting your time