No CORS fields in response header in production

Expected behavior

Response header should contain CORS fields.

Actual behavior

Response header contains CORS fields only in local and are missing in production, raising a CORS issue.

Failure Logs

Local:
image

Production:

let allowedOrigins = [/\.forestadmin\.com$/]

if (process.env.CORS_ORIGINS) {
  allowedOrigins = allowedOrigins.concat(process.env.CORS_ORIGINS.split(','))
}

app.use(
  cors({
    origin: allowedOrigins,
    allowedHeaders: ['Authorization', 'X-Requested-With', 'Content-Type'],
    maxAge: 86400, // NOTICE: 1 day
    credentials: true
  })
)

I tried also to add the origin using CORS_ORIGIN env variable, without any luck.

Context

I host the forest express server on Heroku.

If I rollback to a previously built version, everything works fine. But if a rebuilt the same version, here comes again the issue. I honestly don’t know how to investigate from here.

  • Express Version: 4.17.1
  • Sequelize Version: 5.15.1
  • Database Dialect: postgresql

Hi @AlexisSMT and welcome in our community :champagne: !

  • Could you please tell us on which url you are experiencing this issue ?
  • What is your project name ?
  • What change since your last version ?

The project name is Pégase Support. There are two “remote” environments now: production and debug. They relate to two different node express servers, hosted on heroku, the second being a copy of the first:

  • production points to https://pegase-forest-support.herokuapp.com. The server has been built on Nov 5 2020.
  • debug points to https://pegase-forest-support-debug.herokuapp.com. The server uses the exact same code as the previous one, and has the exact same env variables. It has been built today, Feb 9 2021.

production works fine, but if I rebuilt the server, the problem occurs, I have to rollback. For debug, the problem occurs.

For any table I open, the two following requests fail with a “CORS error” (heroku logs a 503 request timeout)

production (working build)

GENERAL
Request URL: https://pegase-forest-support.herokuapp.com/forest/warning?fields%5Bwarning%5D=createdAt&page%5Bnumber%5D=1&page%5Bsize%5D=15&searchExtended=0&sort=-createdAt&timezone=Europe%2FParis
Request Method: GET
Status Code: 200 OK
Remote Address: 34.240.104.255:443
Referrer Policy: strict-origin-when-cross-origin

REQUEST HEADER
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.forestadmin.com
Connection: keep-alive
Content-Length: 4168
Content-Type: application/json; charset=utf-8
Date: Tue, 09 Feb 2021 18:51:30 GMT
Etag: W/"1048-VtQcLP/tcAPkgVRVeZk/Z97IDUU"
Server: Cowboy
Vary: Origin
Via: 1.1 vegur
X-Powered-By: Express
GENERAL
Request URL: https://pegase-forest-support.herokuapp.com/forest/warning/count?fields%5Bwarning%5D=createdAt&searchExtended=0&timezone=Europe%2FParis
Request Method: OPTIONS
Status Code: 204 No Content
Remote Address: 34.240.104.255:443
Referrer Policy: strict-origin-when-cross-origin

REQUEST HEADER
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.forestadmin.com
Connection: keep-alive
Content-Length: 13
Content-Type: application/json; charset=utf-8
Date: Tue, 09 Feb 2021 18:51:30 GMT
Etag: W/"d-oX0XoQV6LrHPoSgegMmPO224q2o"
Server: Cowboy
Vary: Origin
Via: 1.1 vegur
X-Powered-By: Express

debug

GENERAL
Request URL: https://pegase-forest-support-debug.herokuapp.com/forest/warning?fields%5Bwarning%5D=createdAt&page%5Bnumber%5D=1&page%5Bsize%5D=15&searchExtended=0&sort=-createdAt&timezone=Europe%2FParis
Referrer Policy: strict-origin-when-cross-origin

REQUEST HEADER
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Length: 506
Content-Type: text/html; charset=utf-8
Date: Tue, 09 Feb 2021 18:34:17 GMT
Server: Cowboy
GENERAL
Request URL: https://pegase-forest-support-debug.herokuapp.com/forest/warning/count?fields%5Bwarning%5D=createdAt&searchExtended=0&timezone=Europe%2FParis
Referrer Policy: strict-origin-when-cross-origin

REQUEST HEADER
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Length: 506
Content-Type: text/html; charset=utf-8
Date: Tue, 09 Feb 2021 18:34:17 GMT
Server: Cowboy

Thanks for the help.

PS: I find it a bit weird to share all these details in an open forum.

Hi @AlexisSMT,

Thanks for you answer!

Well, it’s still pretty unclear to me what’s going on here :thinking:

Could you please:

  • Show me the error screen that you have on your Forest Admin backend (or frontend)?
  • Tell us what are the changes that you need to “rollback” to make it work? Did you update forest-express-sequelize? Something else?

Thanks for your help!

Here what we got:


About rollback, I use the heroku rollback feature Releases and Rollbacks | Heroku. I doesn’t recompile to a previous state, it just move back to a previous state. After I recompile the project I got the issue. I use the same code.

From yarn.lock

cors@2.8.5:
  version "2.8.5"
  resolved "https://registry.yarnpkg.com/cors/-/cors-2.8.5.tgz#eac11da51592dd86b9f06f6e7ac293b3df875d29"
  integrity sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==
  dependencies:
    object-assign "^4"
    vary "^1"
express-jwt@5.3.1:
  version "5.3.1"
  resolved "https://registry.yarnpkg.com/express-jwt/-/express-jwt-5.3.1.tgz#66f05c7dddb5409c037346a98b88965bb10ea4ae"
  integrity sha512-1C9RNq0wMp/JvsH/qZMlg3SIPvKu14YkZ4YYv7gJQ1Vq+Dv8LH9tLKenS5vMNth45gTlEUGx+ycp9IHIlaHP/g==
  dependencies:
    async "^1.5.0"
    express-unless "^0.3.0"
    jsonwebtoken "^8.1.0"
    lodash.set "^4.0.0"

express-unless@^0.3.0:
  version "0.3.1"
  resolved "https://registry.yarnpkg.com/express-unless/-/express-unless-0.3.1.tgz#2557c146e75beb903e2d247f9b5ba01452696e20"
  integrity sha1-JVfBRudb65A+LSR/m1ugFFJpbiA=

express@4.17.1:
  version "4.17.1"
  resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134"
  integrity sha512-mHJ9O79RqluphRrcw2X/GTh3k9tVv8YcoyY4Kkh4WDMUYKRZUq0h1o0w2rrrxBqM7VoeUVqgb27xlEMXTnYt4g==
  dependencies:
    accepts "~1.3.7"
    array-flatten "1.1.1"
    body-parser "1.19.0"
    content-disposition "0.5.3"
    content-type "~1.0.4"
    cookie "0.4.0"
    cookie-signature "1.0.6"
    debug "2.6.9"
    depd "~1.1.2"
    encodeurl "~1.0.2"
    escape-html "~1.0.3"
    etag "~1.8.1"
    finalhandler "~1.1.2"
    fresh "0.5.2"
    merge-descriptors "1.0.1"
    methods "~1.1.2"
    on-finished "~2.3.0"
    parseurl "~1.3.3"
    path-to-regexp "0.1.7"
    proxy-addr "~2.0.5"
    qs "6.7.0"
    range-parser "~1.2.1"
    safe-buffer "5.1.2"
    send "0.17.1"
    serve-static "1.14.1"
    setprototypeof "1.1.1"
    statuses "~1.5.0"
    type-is "~1.6.18"
    utils-merge "1.0.1"
    vary "~1.1.2"

express@~4.16.3:
  version "4.16.4"
  resolved "https://registry.yarnpkg.com/express/-/express-4.16.4.tgz#fddef61926109e24c515ea97fd2f1bdbf62df12e"
  integrity sha512-j12Uuyb4FMrd/qQAm6uCHAkPtO8FDTRJZBDd5D2KOL2eLaz1yUNdUB/NOIyq0iU4q4cFarsUCrnFDPBcnksuOg==
  dependencies:
    accepts "~1.3.5"
    array-flatten "1.1.1"
    body-parser "1.18.3"
    content-disposition "0.5.2"
    content-type "~1.0.4"
    cookie "0.3.1"
    cookie-signature "1.0.6"
    debug "2.6.9"
    depd "~1.1.2"
    encodeurl "~1.0.2"
    escape-html "~1.0.3"
    etag "~1.8.1"
    finalhandler "1.1.1"
    fresh "0.5.2"
    merge-descriptors "1.0.1"
    methods "~1.1.2"
    on-finished "~2.3.0"
    parseurl "~1.3.2"
    path-to-regexp "0.1.7"
    proxy-addr "~2.0.4"
    qs "6.5.2"
    range-parser "~1.2.0"
    safe-buffer "5.1.2"
    send "0.16.2"
    serve-static "1.13.2"
    setprototypeof "1.1.0"
    statuses "~1.4.0"
    type-is "~1.6.16"
    utils-merge "1.0.1"
    vary "~1.1.2"
forest-express-sequelize@^6.0.0:
  version "6.0.0"
  resolved "https://registry.yarnpkg.com/forest-express-sequelize/-/forest-express-sequelize-6.0.0.tgz#9a046cfb88370b2f6d0d14f4815116c29156576b"
  integrity sha512-CZuf5SKF1PD9Wy7qyZ+20Fl9cKbevslAEouEyJlRJS4p0y0obSIZ2jjALIc9mLfHqJfh0+axFtmfvtkWkO+nWA==
  dependencies:
    "@babel/runtime" "7.8.3"
    bluebird "2.9.25"
    forest-express "7.0.1"
    http-errors "1.6.1"
    lodash "4.17.13"
    moment "2.19.4"
    semver "5.4.1"

forest-express@7.0.1:
  version "7.0.1"
  resolved "https://registry.yarnpkg.com/forest-express/-/forest-express-7.0.1.tgz#9deee488a1923b8f1d84dcf1d08f1eeee0e385b2"
  integrity sha512-il+CC2KgE5hz9kni2E/T6DSCuv7zsRmEc0hgt66N3TdxVwu/k0ApWNKdBwXNZ8sDZt3EGjGscnS9dlyrObPtwg==
  dependencies:
    "@babel/runtime" "7.8.3"
    base32-encode "1.1.1"
    bitwise-xor "0.0.0"
    bluebird "3.7.1"
    body-parser "1.19.0"
    compose-middleware "4.0.0"
    cors "2.8.5"
    csv-stringify "1.0.4"
    express "4.17.1"
    express-jwt "5.3.1"
    forest-ip-utils "1.0.1"
    http-errors "1.7.3"
    inflected "2.0.4"
    jsonapi-serializer "3.6.5"
    jsonwebtoken "8.5.1"
    lodash "4.17.15"
    moment "2.24.0"
    moment-timezone "0.5.26"
    otplib "11.0.1"
    require-all "3.0.0"
    semver "6.3.0"
    superagent "3.7.0"
    useragent "2.1.13"
    uuid "3.3.3"
    verror "1.10.0"
    winston "3.2.1"

forest-ip-utils@1.0.1:
  version "1.0.1"
  resolved "https://registry.yarnpkg.com/forest-ip-utils/-/forest-ip-utils-1.0.1.tgz#4c53a4c1e16f20beed71ee862315e18b34508d0c"
  integrity sha512-m/pXGliPvJ6pt5/kyTgNT3X4AKHBdeKJX+cg1RVHWrQiqvD7Qs6WbSaP8/l1nJz1FhrLC/EQJAWXTj/kdJjDEQ==
  dependencies:
    ip-address "^5.8.9"
    range_check "^1.4.0"

The problem is finally solved!

My investigation led me to create a brand new project using the same database for which I faced a postgresql/sequelize issue. I decided then to take a deeper look at this part of my main project too:

I upgraded pg from 6.1.0 to 8.5.1.
Then I faced the “self signed certificate” sequelize error which was solved setting the rejectUnauthorized sequelize option.
And then nothing, it was working smoothly :slight_smile:

I do not not why the pg version was an issue. Neither I understand the consequences of setting rejectUnauthorized to false. Maybe you can enlighten me?

Happy to hear that you found your way out this issue!

However, you should not need to set this rejectUnauthorized to false :thinking:
What is exactly the error that you are facing when removing it?

Could you tell me what is your node version? :pray:

I faced this issue:

https://node-postgres.com/announcements#2020-02-25
https://help.heroku.com/MDM23G46/why-am-i-getting-an-error-when-i-upgrade-to-pg-8

The node version used is 14.15.5. Here some of the build logs with the corresponding info:

-----> Building on the Heroku-18 stack
-----> Node.js app detected
       
-----> Creating runtime environment
       
       NPM_CONFIG_LOGLEVEL=error
       USE_YARN_CACHE=true
       NODE_ENV=production
       NODE_MODULES_CACHE=true
       NODE_VERBOSE=false
       
-----> Installing binaries
       engines.node (package.json):  unspecified
       engines.npm (package.json):   unspecified (use default)
       engines.yarn (package.json):  unspecified (use default)
       
       Resolving node version 14.x...
       Downloading and installing node 14.15.5...
       Using default npm version: 6.14.11
       Resolving yarn version 1.22.x...
       Downloading and installing yarn (1.22.10)
       Installed yarn 1.22.10

Hello,

This error is thrown when the connection to your database is secured with SSL, but is using a self-signed certificate, and not a certificate that is signed by a known certificate authority.

I don’t know how your DB is configured, but if you are actually using a self-signed certificate, then this option is legit and necessary to tell pg not to worry about the signature. It should be possible to install the certificate on your server for being able to check it without setting this option, but I don’t know how to proceed.

On the other hand, if the certificate is signed by a known authority, then setting this option is a problem and should be investigated.

Do you know how this certificate has been signed?