Cors issue on v8.4.7

Feature(s) impacted

Action

Observed behavior

Upon Action, on development, I’m getting a Cors problem

Expected behavior

After upgrading to v8 all is goo in the READ operation, but the Action is returning the CORS problem on development. this is my current cors configurations :

    app.use(express.json({
        limit: '50mb'
    }))
    app.use(express.urlencoded({
        extended: false,
        limit: '50mb'
    }))
    app.use(cookieParser())
    app.use(express.static(path.join(__dirname, '..', 'public')))
    let allowedOrigins = ['*.forestadmin.com', '*.run.app'];
    const corsConfig = {
        origin: allowedOrigins,
        allowedHeaders: ['Forest-Context-Url', 'Authorization', 'X-Requested-With', 'Content-Type'],
        maxAge: 86400, // NOTICE: 1 day
        credentials: true,
    };
    app.use('/forest/authentication', cors({
        ...corsConfig,
        origin: corsConfig.origin.concat('null')
    }));
    app.use(cors(corsConfig));
    app.use(jwt({
        secret: process.env.FOREST_AUTH_SECRET,
        credentialsRequired: false,
        algorithms: ['HS256']
    }))

Failure Logs

Access to fetch at 'http://localhost:3000/forest/actions/actiona-name?timezone=Europe%2F' from origin 'https://app.forestadmin.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Knowing that it was working fine before doing the upgrade, m’i missing anything?

Console log :
info : OPTIONS /forest/actions/action-route/action-name?timezone=Europe%2F 200 4 - 57.825 ms

Context

I can share all the needed information in Private due to project requirements.

"forest-express-sequelize": "^8.4.7",
"express": "~4.17.1"

Hello @Houssem_Yahiaoui,

All actions are returning a CORS problem? or just a specific one?

Hello @mian,

All of them seems to return the cors problem

Hello @Houssem_Yahiaoui,

Could you please share with us the full request and response for the erroneous OPTIONS call you mentioned?

By any chance, are you using CloudFlare for your project?

Thank you

@Guillaume_Deslandes Yes, CloudFlare is on, but The v5 is working as expected, but the v8 one doesn’t

@Houssem_Yahiaoui, thank you.

We have some issues with Cloudflare WAF services.

Can you please share the detailed response, to check if it is indeed Cloudflare that causes the issue?

Via your Cloudflare dashboard, you should be able to get the list of the WAF rules triggered by this error. Would you mind sharing it with me (as a DM) so I can send it to our team for investigation?

If this is indeed a Cloudflare issue, for now the only known workaround will be to disable Cloudflare WAF on /forest routes

Thank you.

@Guillaume_Deslandes
I actually don’t have a look on that part, but I know about a certain HTML injection problem raised by the action itself, but this was for uploaded files, the normal action used to work fine despite the WAF problem

@Houssem_Yahiaoui

You should be able to check the response details from your browser developer tools, network tab, when calling the action from your ForestAdmin online project.

@Guillaume_Deslandes I’ve sent you on private some metadata, can you please check? and we can take the conversation there?

Just for documentation :
I found out the problem, as if you’re using express-cors it will give you many issues, so switch to the cors module and keep the same cors configs and all will be good :slight_smile:

1 Like