Hi everyone, I setup a flask backend according to the sample https://github.com/supertokens/supertokens-python/blob/master/examples/with-flask/with-thirdpartyemailpassword/app.py and my react frontend according to the recipe. There seems to be something wrong with my CORS configuration because I am getting: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource

Hi everyone, I setup a flask backend according to the sample https://github.com/supertokens/supertokens-python/blob/master/examples/with-flask/with-thirdpartyemailpassword/app.py and my react frontend according to the recipe. There seems to be something wrong with my CORS configuration because I am getting: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource

just from the default login ui of the react recipe

Can you post the configuration you used on the frontend and backend? (Stripping any API keys if you have used them)

tries to access "http://localhost:8080/auth/session/refresh" and gets an error

Could you also include the part where you call

init

for SuperTokens on the backend

yep sure

What values are

getApiDomain

and

getWebsiteDomain

using?

init( app_info=InputAppInfo( app_name="my app", api_domain="http://localhost:8080", website_domain="http://localhost:3000", api_base_path="/auth", website_base_path="/auth" ), supertokens_config=SupertokensConfig( # try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core. connection_uri="http://localhost:3567", api_key="xxxxxxxxxxx" ), framework='flask', recipe_list=[ session.init(), # initializes session features thirdpartyemailpassword.init( providers=[ # We have provided you with development keys which you can use for testsing. # IMPORTANT: Please replace them with your own OAuth keys for production use. Google( client_id='1060725074195-kmeum4crr01uirfl2op9kd5acmi9jutn.apps.googleusercontent.com', client_secret='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' # ), Facebook( # client_id='FACEBOOK_CLIENT_ID', # client_secret='FACEBOOK_CLIENT_SECRET' ), Github( client_id='467101b197249757c71f', client_secret='e97051221f4b6426e8fe8d51486396703012f5bd' ) ] ) ] )

Ah and just to make sure, when you start your React app it starts on port

3000

correct?

yep yep

Do you see any error logs on your server?

just this: "OPTIONS /auth/session/refresh HTTP/1.1" 404 -

Can you try it by removing the

methods

field in CORS?

same error 😦

Can you put CORS above the Middleware(app) and see if that works?

same 😦

Are you getting 404 for other OPTIONS endpoints as well?

don't have any other endpoints for OPTIONS

Also could you post the full setup code (including imports and such), just to make sure nothing got missed

yeap, one sec

Hmm nothing looks out of place, we will look into it. In the meantime could you create and issue for this on our

supertokens-python

repo?

also these are the versions of my dependencies: supertokens-python = "^0.6.2" python-dotenv = "^0.20.0" Flask-Cors = "^3.0.10"

Btw the sample app has this snippet at the bottom of the file

@app.route("/", defaults={"path": ""})  # type: ignore
@app.route("/<path:path>")  # type: ignore
def index(_: str):
    return ''

Yea that's the missing part. It is required so that flask doesn't return 404 for APIs we have exposed via our middleware

yeah hm right, I did it now and now it fails fails on another call: http://localhost:8080/auth/authorisationurl?thirdPartyId=google

Whats the error you see?

"OPTIONS /auth/authorisationurl?thirdPartyId=google HTTP/1.1" 404 -

Can you show how you have added those four lines pointed out by @User

that's perfect, it works now as expected!

Awesome, im glad you got it to work

I think the reason I removed it is that I tried a non-existing route (like /foo) and got that error:

Hmm, we will need to take a closer look at that. But in the meantime if you have any other issues feel free to ask!

thanks so much again! it just seems this setting "catches" all routes?

Well it would get to that point if no other route matches, but yeah thats the idea

I know its a tiny optimization and not a bug, but is there a way to avoid that?

It is a behaviour that may need to change and we will need to look into this so unfortunately I dont have any workarounds for you. If you like you could create an issue for it and track the status of this that way?

yep yep perfect, makes sense!

@User you can use this instead of what was pasted before:

@app.route('/', defaults={'u_path': ''}) # type: ignore
@app.route('/<path:u_path>') # type: ignore
def catch_all(u_path: str): # type: ignore
    abort(404)

The above will show a proper 404 page when you visit a path that doesn't exist

@rp thanks so much! will try it out!