Trying to send cookie back after login request on my hobby project website. For some reason it is working when running locally i.e. http://localhost:3000. But as soon as I push my API online and try to access it through my live website, I see no cookie under Application -> Cookies -> website (using chrome). I have googled a lot and I believe I have set check off every CORS policy.
The nodeJS is running in AWS lambda and is invoked through API gateway. API GW is directed to through a cloudfront distribution (if it matters).
In my express backend I have logged my headers accordingly:
res.cookie('jwt', token, cookieOptions);
console.log('Checking cookie', res);
console.log('Checking cookie', res.cookies);
res.status(statusCode).json({
status: 'success',
data: {
user
}
});
The output of this is partially this:
'access-control-allow-origin': [ 'Access-Control-Allow-Origin', 'https://example.com' ],
vary: [ 'Vary', 'Origin' ],
'access-control-allow-credentials': [ 'Access-Control-Allow-Credentials', 'true' ],
'access-control-allow-methods':
[ 'Access-Control-Allow-Methods',
'GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS' ],
'access-control-allow-headers':
[ 'Access-Control-Allow-Headers',
'Origin, X-Requested-With, Content-Type, Accept, X-PINGOTHER' ],
'x-ratelimit-limit': [ 'X-RateLimit-Limit', 100 ],
'x-ratelimit-remaining': [ 'X-RateLimit-Remaining', 97 ],
date: [ 'Date', 'Fri, 11 Dec 2020 23:20:28 GMT' ],
'x-ratelimit-reset': [ 'X-RateLimit-Reset', 1607732145 ],
quizappuserloggedin: [ 'QuizAppUserLoggedIn', 'false' ],
'set-cookie':
[ 'Set-Cookie', 'my-cookie'; Path=/; Expires=Sat, 12 Dec 2020 23:20:34 GMT; HttpOnly; Secure'
From what I can tell I have set my CORS settings correctly. From my frontend I have set:
axios.defaults.withCredentials = true;
From what I can tell I have done everything I can find in Set cookies for cross origin requests
Meaning I have doubled checked my cors settings and from the print statement it looks like the cookie is being sent. But why is the browser not picking it up?
Could post the actual site and github repo if it helps, I have been stuck here for a whole now.
UPDATE
I looked at the response headers in my browser and compared it against the headers in the backend api. From that comparison I can see that my "set-cookie" header isn't included in the response even though I can clearly see that it is included in the response from the backend:
UPDATE 2
I believe after further investigation that I have narrowed it down to being an CORS issue with AWS API Gateway. I looked into these, but still no luck.
How to add CORS header to AWS API Gateway response with lambda proxy integration activate
Amazon API gateway ignores set-cookie
Logs from the lambda cloudwatch right before the response is being sent by the express framework as well as cloudwatch logs from the API Gateway (response headers).
API GW cloudwatch logs of the response headers:
Lambda cloudwatch logs of the response object sent by express framework:
Turns out it wasn’t a CORS issue. I had simply forgotten to forward cookies from my cloudfront distribution.
Related
I have successfully configured S3 bucket with BunnyCDN and able to access files through it. Now I am facing the issue when I try to stream HSL encrypted video with BunnyCDN which stored in S3 bucket.
In the browser console I am getting issue like this:
Access to XMLHttpRequest at 'https://ovb-video.b-cdn.net/bcdn_token=hT1XzEdqq1xj5TGhEgM8JP1WsTeHzvfxmqfL3g3-_RE&expires=1632877673&token_path=%2F/books/11/2/video.m3u8' from origin 'https://my-domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
As we have to specify allow origins when request's credentials mode is true so I have specifies CORS policy at S3 like this:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"POST",
"GET",
"PUT",
"HEAD"
],
"AllowedOrigins": [
"https://my-domain.com",
"https://ovb-video.b-cdn.net"
],
"ExposeHeaders": []
}
]
In BunnyCDN panel I have also specified m3u8, ts, key in headers but still no luck.
Can anybody please let me know what I am doing wrong.
You have to add 3 edge rules for that particular pull zone so that it can serve data with S3. Please find screenshots of 3 edge rules.
I am trying to verify an ID Token using the Firebase Admin SDK as per instructions. My current auth code looks like this (in Vue):
// Auth.vue, inside the firebaseui config callback
signInSuccessWithAuthResult: function(authResult, redirectUrl) {
authResult.user
.getIdToken(/* forceRefresh */ true)
.then(function(idToken) {
// Send token to your backend via HTTPS
// ...
console.log(idToken);
})
.catch(function(error) {
// Handle error
console.log(error);
});
The login works fine and I can get authResult perfectly. However, it seems the function getIdToken is the problem, as I get the following error on my console:
Cross-Origin Request Blocked:
The Same Origin Policy disallows reading the remote resource at
https://securetoken.googleapis.com/v1/token?key=AIzaSyApp5yu051vMJlNLoQ1ngVSd-f2k7Pdavc.
(Reason: CORS request did not succeed).
In my request list, the one hanging is an OPTIONS method, with the following headers:
OPTIONS /v1/token?key=AIzaSyApp5yu051vMJlNLoQ1ngVSd-f2k7Pdavc HTTP/1.1
Host: securetoken.googleapis.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,pt-BR;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: x-client-version
Origin: http://localhost:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
I am not even sure where the problem lies. Is it coming from the Vue side? I am running it in a dev server (by simple yarn serve, vue cli 3). Would the solution be when I run Vue on a production server where I can actually configure cors?
Any light on the matter is extremely welcome...
Thanks!!
Figured it out.
I was calling it in the wrong place. What helped was this thread, which pointed me out to Preflighted Requests which is what the OPTIONS request is:
"preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.
So I realized I should not be sending this request within my Post request where I got the authorization in the first place. Moving it to another method made it work.
I used this api call to get DNS records and nameservers using domain name
https://api.godaddy.com/v1/domains/testsd34.com/records/NS
GetRecords here is the api call
For default godaddy nameservers its giving everything perfectly but whenever i am using custom nameservers for domain that time this api call not giving nameservers in response its giving empty array,
anyone knows how to get custom nameservers using this api call?
Finally, I found a way to get and edit nameservers for domain.
(For custom nameservers, records are not set by GoDaddy, therefore you have to
query nameserver provider.)
Following is the API call for getting nameservers:
HTTP request:
GET https://api.godaddy.com/api/v1/domains/mydomain.com
HTTP headers:
Authorization -> sso-key my-key:my-secret
Content-Type -> application/json
Response will contain JSON object which has key "nameservers"
with pair of nameservers that you have. Example:
"nameServers": [
"ns1.mynameservers.com",
"ns2.mynameservers.com"
]
To edit the nameservers via API call, you can use following API call:
HTTP request:
PATCH https://api.godaddy.com/api/v1/domains/mydomain.com
HTTP headers:
Authorization -> sso-key my-key:my-secret
Content-Type -> application/json
HTTP body:
{
"nameServers": [
"ns3.mynameservers.com",
"ns4.mynameservers.com"
]
}
i have a page that is hosted on both HTTP and HTTPS, and it makes a HTTP call with jquery to a local http server on the client computer with the following code:
var url = "http://127.0.0.1:1234/Ping";
var ajaxSettings = {
url: url,
timeout: 1000
};
return $.ajax(ajaxSettings);
the client application has the following headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Allow-Headers: Accept, Origin, Content-type
This works great when using http but when using https i get a error.
Is there any way to solve this? (generating a ssl certificate and registering it seems a bit overkill)
So we have been using the Flowdock Push API for quite some time now. We have been using it to push messages from our Continous Integration server (Electric commander) and it has been working pretty great. It's integrated into a powershell script today.
Now i have been notified that the PUSH API is deprecated and will be removed "some day" along with a refference to the REST API's message feature.
Following the documentation i have been able to add messages from my personal API token directly to the chat. However when i try to add a message to the inbox, with the flow API token, i keep getting 404's
I am using fiddler's compose feature to fiddle (ha!) with the examples from the dox (i have anonymized it a bit):
POST https://api.flowdock.com/MYORGANIZATION/MYFLOW/mesages
User-Agent: Fiddler
Host: api.flowdock.com
Content-Length: 593
Content-Type: application/json
Accept: application/json
{
"flow_token": "MYFLOWS API TOKEN",
"event": "activity",
"author": {
"name": "anttipitkanen",
"avatar": "https://avatars.githubusercontent.com/u/946511?v=2"
},
"title": "Opened pull request",
"thread_id": "WT5yWsIpdvUPxP07lfgQDmLoGQQ",
"external_thread_id": "github:component:pr:42",
"thread": {
"title": "Fix bug in thread API",
"body": "Body with <b>HTML<b> formatting",
"external_url": "https://github.com/flowdock/component/pull/42",
"status": {
"color": "green",
"value": "open"
}
}
}
Raw response is:
HTTP/1.1 404 Not Found
Date: Thu, 08 Oct 2015 10:02:34 GMT
Status: 404 Not Found
Content-Type: application/json
X-Request-Id: ab39438c-07b7-48bf-bde8-c3b29478094d
X-Runtime: 0.007442
Strict-Transport-Security: max-age=31557600
X-Server-Id: 3c4883af38147558374983c6d90b2bb9badb86d4
Vary: Accept-Encoding
Transfer-Encoding: chunked
20
{"message":"Resource not found"}
0
Is the flow_token the API token for my flow? Or is it the dev token i have to sign up for?
This is not meant to work as an application, i just wan't to push the status of builds and deploys to the other developers.
https://www.flowdock.com/api/message-types#/activity
The correct endpoint is https://api.flowdock.com/flows/ORG/FLOW/messages.
The flow_token is a bit confusingly named since it is not the flow API token, instead it is a source's flow_token. In order to get a flow_token to a source, you will need to create an application. Then create a source for it to a certain flow. Easiest way to do this is using the "Tools for testing" section in the application.
Lastly you probably want to use only the "external_thread_id".