CORS issues even when origins specified

default discord avatar
thisisnotchris
6 months ago
16

Not sure what I'm doing wrong here



export default buildConfig({
  serverURL: "https://beta.safsonline.com",
  admin: {
    user: Admins.slug,
  },
  cors: ["http://localhost:4200", "http://safsbeta1.safsonline.com", "http://safsbeta2.safsonline.com"],
  csrf: ["http://localhost:4200", "http://safsbeta1.safsonline.com", "http://safsbeta2.safsonline.com"],
  collections: [Admins, Users, Pages, Media, Documents],
  typescript: {
    outputFile: path.resolve(__dirname, "payload-types.ts"),
  },
  graphQL: {
    schemaOutputFile: path.resolve(__dirname, "generated-schema.graphql"),
  },
  routes: {
    api: '/payload/api',
    admin: '/payload/admin',
    graphQL: '/payload/graphql',
    graphQLPlayground: '/payload/graphql-playground'
  }
});


and in server



app.use(express.json());
app.use(
  cors({
    
    origin: ["http://localhost:4200", "http://safsbeta1.safsonline.com", "http://safsbeta2.safsonline.com"],
    credentials: true,
  })
);
  • default discord avatar
    MichaelBOOM
    6 months ago

    You are getting the error on an https URL and only have http URLs listed. Maybe try changing your (what I assume is a production) safsbeta1.safsonline.com URL to https? Also if the 2nd snippet is from the same server that payload uses, I didn't need to set any CORS settings manually on the express instance.

  • default discord avatar
    ilyas771
    5 months ago

    for some reason on deploy payload-token cookie is not set in req, does anyone have this issue?

  • default discord avatar
    MichaelBOOM
    5 months ago

    I don't, but here's a couple of things I would check:


    - Are you logged in?


    - Do you have CORS correctly configured


    - Have you set the correct origins?


    - Have you enabled the usage of credentials?


    - Do you have CSRF correctly configured?


    There are also other things that might cause that issue, but I would say these are the most common causes.

  • default discord avatar
    ilyas771
    5 months ago

    hi, thanks, yeah, everything is configured as per the docs and the example, the csrf cookies are set and i can see them, but not payload-token which only gets set when testing locally, what other things might cause this?

  • default discord avatar
    thisisnotchris
    5 months ago

    @ilyas771 This is usually a CORS / CSRF issue, specifically the token not being set. Do you have credentials set as an option in your cors/csrf config?



    or rather



    Do the CORS/CSRF listings match

  • default discord avatar
    ilyas771
    5 months ago

    yes, credentials:true, and the same list of domains for cors/csrf

  • default discord avatar
    MichaelBOOM
    5 months ago

    Would you mind providing us with screenshots / copies of your configuration and the exact URLs you are using to test the application?

  • default discord avatar
    ilyas771
    5 months ago
    export default buildConfig({
      serverURL: "https://cms.tengricomics.kz",
      admin: {
        user: Admins.slug,
      },
      cors: ["https://dev.tengricomics.kz", "https://staging.tengricomics.kz"],
      csrf: ["https://dev.tengricomics.kz", "https://staging.tengricomics.kz],
      collections: [Admins, Users, Pages, Media, Widgets],
      typescript: {
        outputFile: path.resolve(__dirname, "payload-types.ts"),
      },
      graphQL: {
        schemaOutputFile: path.resolve(__dirname, "generated-schema.graphql"),
      },
    globals:["MainMenu"]
    });


    app.use(
      '/assets',
      express.static(path.resolve(__dirname, './assets')),
    );
    app.use(injectEnvMiddleware);
    app.use(
      cors({
        origin: [
          'https://dev.tengricomics.kz',
          'https://staging.tengricomics.kz',
        ],
        credentials: true,
      }),
    );
    // Redirect root to Admin panel
    app.get('/', (_, res) => {
      res.redirect('/admin');
    });


    locally everything works fine, but on deploy the payload-token cookie is not being set on preview



    also i tried adding


    auth: {


    cookies: {


    secure: true,


    sameSite: 'lax',


    domain: '.tengricomics.kz',


    },


    },


    versions: {


    drafts: true,


    }, to pages config, but in the cookies for

    https://cms.tengricomics.kz

    I see that the payload-token domain is third-level domain, not all subdomains as in the auth object

  • default discord avatar
    MichaelBOOM
    5 months ago

    Now it starts to become pretty hard to debug, especially since I can't even resolve your addresses. Anyway, since the payload documentation doesn't mention setting the cors config yourself on the express app, I would try to leave that out the

    app.use(cors({...}))

    portion as that might affect the payload config. As for the cookie config: I would assume that you need to put a * in front of your domain (so '*.tengricomics.kz'), but it might also help to understand your requirements a bit better.

Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.