Authentication error - Blocked by CORS policy

Hello,
I just deployed my Rails app with the forest gem, and the access to app.forestadmin.com shows an error : “Unable to authenticate you”.

I can see a JS error in the dev console:

Access to fetch at ‘https://admin.neocamino.com/forest/authentication’ from origin ‘https://app.forestadmin.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’.

Is there some kind of configuration to do on the Rails side?

Context

  • Rails: 5.2.6
  • Gem: forest_liana (7.2.2)
  • Project Name: Neocamino

CORS setup

# config/initializers/cors.rb
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'

    resource '*',
      headers: :any,
      methods: [:get, :post, :put, :patch, :delete, :options, :head],
      max_age: 1728000
  end
end

Request & Response

Screenshot 2021-10-07 at 18.39.37

Screenshot 2021-10-07 at 18.39.47

Screenshot 2021-10-07 at 18.40.01

Hello! I have the same error. Few days ago just fixed authentification issue and today got blocked again…

Context

  • Rails: 5.1, ruby 2.7.4
  • Gem: forest_liana (7.2.2)
  • Project Name: Spare Leash

CORS setup

#application.rb
 config.load_defaults 5.1

    null_regex = Regexp.new(/\Anull\z/)
    config.middleware.insert_before 0, Rack::Cors do
      allow do
        hostnames = [null_regex, 'localhost:3000', 'app.forestadmin.com', 'localhost:3001']
        hostnames += ENV['CORS_ORIGINS'].split(',') if ENV['CORS_ORIGINS']
        origins hostnames
        resource '*',
          headers: :any,
          methods: :any,
          expose: ['Content-Disposition'],
          credentials: true
      end
    end

Request & Response

Please let us know if there is any solution for it.

@lclisson

Hello @jb_neocamino and thanks for posting your issue on our community forum,

  • Have you done something recently that could explain such behavior?
  • Did your authentication system used to work before?

Can you please share with me the failing request from the network tab of your chrome dev tools with its response if there is one?

Kind regards :slight_smile:

Hello @kittinson,

From what I remember your project was working recently so my first question is: Have you change something that could explain this behavior? When I try to access https://spareleash.com.cn/forest I have no response but it should respond a 204 usually

Have you done something on the server side?

Kind regards,
Louis

Hello @lclisson ! That’s right, we did not change anything. I just checked again and it works now. Not sure what was the issue, as I did not do anything on our side before is stopped working again and when it got it back.

1 Like

Maybe a restart of your server or something like that, happy to hear that it works again as before :slight_smile:

I managed to find the issue, maybe this is something to add in the docs for people on Rails with a CORS config.

I had to add the following in my config:

# config/initializers/cors.rb
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    # my original config, this can stay there
  end


  # Used for Forest Admin
  allow do
    origins 'https://app.forestadmin.com'

    resource '/forest/*',
      headers: :any,
      methods: [:get, :post, :put, :patch, :delete, :options, :head],
      credentials: true,
      max_age: 1728000
  end
end
1 Like

Thanks for the report!! :slight_smile:

haha that’s possible!

Though now I am experiencing problem deploying project with Rails 6, is there any differences with setup?

I have completely identical setting to project on Rails 5, but it still doesn’t authenticate me.

  • Rails: 6.1.3, ruby ‘3.0.0’
  • Gem: forest_liana (7.2.2)
  • Project Name: ADITTI

@lclisson

Thanks for your message @kittinson,

From what I know there should be no difference between 5 and 6, can you share with me the request failing link to the /authentication 403 call?