Upgrading to v7 - CORS issue

This is a template you can use to report issues. You can also drag images, videos and include Preformatted text

Expected behavior

Pass the cors request and see the data.

Actual behavior

...callback?code=... request failed due to cors issue and next message appearing on popup:
Please verify that your admin backend is correctly configured and running.

Failure Logs

Shared with CloudApp


Followed by instructions from here Upgrade to v7 - Documentation. We used curl as described to get FOREST_CLIENT_ID and set it in .env all together with APPLICATION_URL. Also changed app.js same as on documentation.

curl -H "Content-Type: application/json" \
     -H "Authorization: Bearer FOREST_ENV_SECRET" \
     -X POST \
     -d '{"token_endpoint_auth_method": "none", "redirect_uris": ["APPLICATION_URL/forest/authentication/callback"]}' \

On the local, everything was working fine. So we want to deploy it to prod env.

First issue was with /forest/authentication. So what we did to fix authentication is:

  1. We used CURL to get a new FORECT_CLIENT_ID for the prod env and set new values in .env for prod. Authentication is passed !!!

Now we have an issue with a cors policy, but only on prod environments.
We tried to solve it by adding a domain to allowedOrigins:

let allowedOrigins = [

Can you help us with this. Are we in a good direction and what is missing to solve the cors policy issue?

  • Package Version: forest-express-sequelize@7.1.0
  • Express Version: express@4.16.3
  • Sequelize Version: sequelize@5.22.2
  • Database Dialect: mysql
  • Project Name: TymeshiftFA

Hello @Bojan_Antonijevic,

Can you check the headers that are sent in the OPTIONS request, to see which Origin is sent?

Can you check that the origin 'null' is allowed for the routes under /forest/authentication? This origin is sent by browsers after a redirection, and it’s the case at the end of an authentication request.

Hey @GuillaumeGautreau,

About headers on issued request we could see only this:

But from some previous request we have:
Shared with CloudApp

null should be allowed by this?

app.use('/forest/authentication', cors({
  // The null origin is sent by browsers for redirected AJAX calls
  // we need to support this in authentication routes because OIDC
  // redirects to the callback route
  origin: corsConfig.origin.concat('null'),

Hello @Bojan_Antonijevic,

Before this request that is failing, you should have a request on the same URI, but with the verb OPTIONS. Both headers from the request and the response are important here to be able to identify your issue.

For what I can see, you are showing me headers of the GET request, that is blocked by the browser because of the OPTIONS request.

Maybe you filtered your network tab to only show xhr requests. In this case you cannot see the OPTIONS request that is sent just before. Just click on “All” in the network tab to display all requests.

Thanks @GuillaumeGautreau,

Is this one correct?

Hello @Bojan_Antonijevic,

Thanks for your answer. Yes, this is this request.

As you can see, the requested Origin is null and the server responds with an authorized origin (Access-Control-Allow-Origin) of https://app.forestadmin.com which does not match the requested one. Ending up to an error on your browser.

So there is definitively a problem with the code that is supposed to handle cors requests with your agent.

Can you copy/paste all the code that is supposed to handle cors on your agent? Can you check that there is nowhere else some code that handles cors?

Can you also copy/paste the version of cors used by your agent?


1 Like

Hey @GuillaumeGautreau,

Thank you for your help. The issue was on our side. We change cors in our nginx, which solve the problem.

Appreciate your help.

1 Like

Thanks for the update @Bojan_Antonijevic.

It’s great that you found the solution!