CORS Error while setting up to production

Expected behavior

The app works perfectly fine in the development environment. After updating the .env file and deploying it on the server the app should work fine in the production environment as well.

Actual behavior

But I receive the following CORS error when I try to open the app in the production environment.

Screenshot 2021-06-24 at 6.32.06 PM2560×414 112 KB

Following is the .env file in production

APPLICATION_URL= *_application URL_*
APPLICATION_PORT=5000
PORT=5000
NODE_ENV=Production
CORS_ORIGINS=
DATABASE_URL= *_Mongo DB URL_*
DATABASE_SSL=true
DATABASE_REJECT_UNAUTHORIZED=false
FOREST_ENV_SECRET= *_FOREST_ENV_SECRET_*
FOREST_AUTH_SECRET=*_FOREST_AUTH_SECRET_*

Following is the code used for the CORS policies:

let allowedOrigins = [/\.forestadmin\.com$/, /localhost:\d{4}$/ ]

if (process.env.CORS_ORIGINS) {
  allowedOrigins = allowedOrigins.concat(process.env.CORS_ORIGINS.split(','));
}
const corsConfig = {
  origin: allowedOrigins,
  maxAge: 86400, // NOTICE: 1 day
  credentials: true,
};
app.use('/forest/authentication', cors({
  ...corsConfig,
  origin: corsConfig.origin.concat('null')
}));
app.use(cors(corsConfig));

I am running the node server in an EC2 instance on port 5000 and redirecting is done using NGINX.

It would be really great if the community could me out with resolving this issue.

Hello @Anupam_Rana and welcome on our cumunity forum,

Can you please give me your project name? And also, is your EC2 instance allowing forestadmin to share ressources with ?

Kind regards,
Louis

Thanks, lclisson for the quick response. The project name is “mScribe - Stagging”.

Sorry I didn’t exactly get what you mean by "is your EC2 instance allowing forestadmin to share resources with ?"

Also, when I make the following curl request on the server:
curl -I https://d1435vzflg6dnd.cloudfront.net/forest

I get the following response:

HTTP/2 204
date: Fri, 25 Jun 2021 04:40:46 GMT
server: nginx/1.18.0 (Ubuntu)
x-powered-by: Express
vary: Origin
access-control-allow-credentials: true
x-cache: Miss from cloudfront
via: 1.1 418a67fef069e9fd015a10adc259465a.cloudfront.net (CloudFront)
x-amz-cf-pop: BOM51-C2
x-amz-cf-id: 6NkInADUNtBcstMyTgQh5fuE0_nLvMnbqiKIjpvBAaUsvHUnSUs7yw==

And following is the error while trying to app the app in the production environment:

Screenshot 2021-06-25 at 9.58.48 AM2560×1380 198 KB

Screenshot 2021-06-25 at 10.14.03 AM2560×1516 545 KB

I was thinking of if you were able to ping your server or not, which you just did successfully.

The CORS issue you’r facing is probably due to a misconfiguration on a header sent with the request. Can you please share to me the request & response header of the failing request?

Following is the request & response header of the failing request:

Screenshot 2021-06-25 at 2.58.21 PM2258×1372 418 KB

Screenshot 2021-06-25 at 2.58.33 PM2232×1360 294 KB

Also following is the error that is being displayed on the console:

Screenshot 2021-06-25 at 3.01.22 PM2560×1078 561 KB

I have also attached the CORS configuration in the above messages.

Can you try to set this corsConfig object instead of the one you have in your app.js file please and let me know if it helps

const corsConfig = {
  origin: allowedOrigins,
  allowedHeaders: ['Authorization', 'X-Requested-With', 'Content-Type'],
  maxAge: 86400, // NOTICE: 1 day
  credentials: true,
};

Thanks lclisson. I have updated the corsConfig which you have shared and the CORS issue has been resolved and the issue is no more reflecting in the console.

But I am seeing a strange thing in the console. I have updated the production link in forestadmin dashboard as well as in the .env file as the production app link. But still, in the console authentication, the API is getting hit on the localhost URL. I guess if we resolve that the app should start working.
Following is a screenshot for reference:

Screenshot 2021-06-25 at 7.42.23 PM2554×1510 708 KB

What value of APPLICATION_URL have you defined in .env file ?

Following is the value defined in .env file:

Screenshot 2021-06-25 at 8.40.24 PM1876×76 11.3 KB

Also, the following is the value in the forestadmin app:

Screenshot 2021-06-25 at 8.41.04 PM2558×1378 176 KB

What is the network call that is failing & what is the response from it?

Do you have any logs from your server that could help?

Following are the logs in the server:

Screenshot 2021-06-25 at 10.54.48 PM1194×480 240 KB

Following is networ call:

Screenshot 2021-06-25 at 10.55.06 PM2560×928 360 KB

And following is the response:
{"errors":[{"status":500,"detail":"Invalid response from the authentication server: the state parameter is missing","name":"Error"}]}

The format of the request sent to your server is correct and I don’t see any misconfiguration from that point of view. As there was an error in your app.js file before, can you share with me all the content of the file so I can double check everything is all right ?

Sure lclisson. Following is the content of the app.js file:

const dotenv = require('dotenv').config();
const express = require('express');
const fs = require('fs');
const fileType = require('file-type');
const multiparty = require('multiparty');
const path = require("path");
var Mongoose = require('mongoose');
const forest = require('forest-express-mongoose');
const DoctorSchema = require('./models/doctorSchema');
const PrescriptionSchema = require('./models/prescriptionSchema');
const cors = require('cors');

Mongoose.Promise = require('bluebird');
Mongoose.connect(process.env.DATABASE_URL, { useNewUrlParser: true, useUnifiedTopology: true });
const connection = Mongoose.connections[0];
console.log("DB Connected", process.env.DATABASE_URL);

const app = express();

var port = process.env.PORT || 5000;
let allowedOrigins = [/\.forestadmin\.com$/, /localhost:\d{4}$/, /\.mscribe\.com$/, 'mscribe.com', 'www.mscribe.com', "https://mscribe.in", "https://www.mscribe.in", "http://www.mscribe.in", "http://mscribe.in"]

if (process.env.CORS_ORIGINS) {
    allowedOrigins = allowedOrigins.concat(process.env.CORS_ORIGINS.split(','));
}

const corsConfig = {
    origin: allowedOrigins,
    maxAge: 86400, // NOTICE: 1 day
    credentials: true,
};

app.use('/forest/authentication', cors({
    ...corsConfig,
    origin: corsConfig.origin.concat('null')
}));

app.use(cors(corsConfig));


app.get('/', (req, res) => {
    res.send("Hi! I am servy and I love to serve API requests - Mscribe Backend - 4");
});


app.listen(port, async () => {
    app.use(
        await forest.init({
            envSecret: process.env.FOREST_ENV_SECRET,
            authSecret: process.env.FOREST_AUTH_SECRET,
            objectMapping: Mongoose,
            connections: { default: connection },
        })
    );
});

console.log('Server up and running...', port);

Looking at the creation date of your project and the lumber version used to generate it, I can see that the generated files are not the ones you are supposed to have and it could explain the authentication issue you are having

Have you copy/paste some files from a previous project? From what I see the easiest things should be to generate a new project with the latest lumber version which you can installed by running
npm install -g lumber-cli@latest -s

Hey all,

After investigating, it turned out that CloudFront was causing the issues:

• CloudFront was removing any query parameters from request, preventing the authentication system to perform correctly
• CloudFront was removing any headers preventing users from being correctly identified agent side (and thus 401 errors were always thrown)

@Anupam_Rana I let you add any useful information

Thanks, team Forestadmin for the quick resolution of the issue.

As mentioned above the project was working in a development environment but was not working in production when deployed on EC2 and sending the requests via CloudFront.

The first issue was that CloudFront in its default setting that removes the query parameters and headers from the request. You need to change the setting to allow all query parameters to be forwarded with the request. For headers, you need to allow origin and authorization headers to be forwarded.