Cross-Origin Resource Sharing (CORS) affecting the development of OCL

cintiadr · July 25, 2018, 10:35pm

That’s asking the configuration to be done on the server. The second link, I have no idea what software is that!

Yes. By the image, the javascript/app is loaded from openmrs.qa.openconceptlab.org, and it’s trying to access (via javascript) api.qa.openconceptlab.org, using put. I think that’s the very definition of a CORS, right?

I think that’s by design? GET, OPTIONS and (apparently) some POSTs are allowed (I don’t think I blocked them server side). So put is exactly where I’d expect it to fail.

Yeah, the ticket created is for me to add it to nginx.

@hadijah315 your application is an nginx too, so have you tried to add to your nginx? That might be sufficient. I think the external nginx doesn’t mess up with those headers and options.

cintiadr · July 26, 2018, 3:30am

Please ignore what I said about adding that configuration to your nginx application. I was probably still half asleep, as this needs to be done to api.qa.o.o, and of course, that’s not your app.

I will get it done to qa pretty soon.

cintiadr · July 28, 2018, 8:09am

I implemented a couple of days ago, as I mentioned on that ticket.

Can someone take a look if that worked?

hadijah315 · July 28, 2018, 8:16am

Thanks @cintiadr can we check from the frontend

cintiadr · July 28, 2018, 11:13am

Sorry, was that a question?

Yes, I assume you should test that openmrs.qa.openconceptlab.org can now access api.qa.openconceptlab.org via CORS/Put in javascript.

cintiadr · August 1, 2018, 7:32am

Any news here?

hadijah315 · August 1, 2018, 8:03am

Hey @cintiadr, sorry for the silence but we are still affected by CORS

cintiadr · August 1, 2018, 8:06am

Uh, that’s unfortunate.

Can you show me how to test it in QA? What are the steps to reproduce the problem?

hadijah315 · August 1, 2018, 8:52am

so try to log into https://openmrs.qa.openconceptlab.org/ , For us we had to install a CORS extension in our browser so as to be able to get any data. If they are disabled nothing is shown.

raff · August 1, 2018, 10:18am

Just happened to notice this thread. It should be a very simple fix in django api code. I’ll apply and deploy it to qa right away.

raff · August 1, 2018, 11:47am

@cintiadr, django api code now allows everything, but ngnix settings still interfere. I see the following in a browser console when trying to log in at https://openmrs.qa.openconceptlab.org/.

Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Origin: openmrs.qa.openconceptlab.org

I think allow-origin should be set to https://openmrs.qa.openconceptlab.org instead of openmrs.qa.openconceptlab.org

Also please correct methods to be: DELETE, GET, OPTIONS, PATCH, POST, PUT

(the related issue in oclapi is https://github.com/OpenConceptLab/ocl_issues/issues/60)

hadijah315 · August 1, 2018, 2:00pm

Thanks @raff

hadijah315 · August 1, 2018, 3:11pm

Hello @raff , we have noticed that the build for the issue you raised to fix CORS is failing. Could you please checkout on this link https://ci.openmrs.org/browse/OCL-OUT/latest Thanks cc @dkayiwa

raff · August 2, 2018, 10:02am

Fixed. Reverted accidental commit.

hadijah315 · August 2, 2018, 10:08am

Awesome, thanks

shakira210791 · August 2, 2018, 10:10am

Thanks @raff

cintiadr · August 2, 2018, 11:37am

I did the change requested by @raff.

Now the OPTIONS return for me a 204, seems reasonable to me. Not sure what’s the problem now?

cintiadr · August 6, 2018, 5:07am

Hi,

Is there any update?

hadijah315 · August 7, 2018, 7:19am

Hi @cintiadr we are still having CORS

cintiadr · August 7, 2018, 11:39am

Got it.

It’s important to follow up on this kind of thing, so we can actually action on it. None of us really understand CORS in detail, and we do not understand your app, so we need some feedback so we can actually do something about it.

This is what ended up working:

location / {
        if ($request_method = 'OPTIONS') {
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST';
          add_header 'Access-Control-Allow-Headers' 'authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
          #
          # Tell client that this pre-flight info is valid for 20 days
          #
          add_header 'Access-Control-Max-Age' 1728000;
          add_header 'Content-Type' 'text/plain; charset=utf-8';
          add_header 'Content-Length' 0;
          return 204;
        }
        if ($request_method = 'POST') {
          add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST';
          add_header 'Access-Control-Allow-Headers' 'authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
        }
        if ($request_method = 'GET') {
          add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST';
          add_header 'Access-Control-Allow-Headers' 'authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
        }
        proxy_pass http://127.0.0.1:8000/;
      }

Also, just to let you know.

I suppose because I didn’t create anything in OCL, there’s a bunch of 500 errors after I login:

Those URLs look pretty weird.