CORS issues even when origins specified
Not sure what I'm doing wrong here
export default buildConfig({
serverURL: "https://beta.safsonline.com",
admin: {
user: Admins.slug,
},
cors: ["http://localhost:4200", "http://safsbeta1.safsonline.com", "http://safsbeta2.safsonline.com"],
csrf: ["http://localhost:4200", "http://safsbeta1.safsonline.com", "http://safsbeta2.safsonline.com"],
collections: [Admins, Users, Pages, Media, Documents],
typescript: {
outputFile: path.resolve(__dirname, "payload-types.ts"),
},
graphQL: {
schemaOutputFile: path.resolve(__dirname, "generated-schema.graphql"),
},
routes: {
api: '/payload/api',
admin: '/payload/admin',
graphQL: '/payload/graphql',
graphQLPlayground: '/payload/graphql-playground'
}
});
and in server
app.use(express.json());
app.use(
cors({
origin: ["http://localhost:4200", "http://safsbeta1.safsonline.com", "http://safsbeta2.safsonline.com"],
credentials: true,
})
);
You are getting the error on an https URL and only have http URLs listed. Maybe try changing your (what I assume is a production) safsbeta1.safsonline.com URL to https? Also if the 2nd snippet is from the same server that payload uses, I didn't need to set any CORS settings manually on the express instance.
for some reason on deploy payload-token cookie is not set in req, does anyone have this issue?
I don't, but here's a couple of things I would check:
- Are you logged in?
- Do you have CORS correctly configured
- Have you set the correct origins?
- Have you enabled the usage of credentials?
- Do you have CSRF correctly configured?
There are also other things that might cause that issue, but I would say these are the most common causes.
hi, thanks, yeah, everything is configured as per the docs and the example, the csrf cookies are set and i can see them, but not payload-token which only gets set when testing locally, what other things might cause this?
@ilyas771 This is usually a CORS / CSRF issue, specifically the token not being set. Do you have credentials set as an option in your cors/csrf config?
or rather
Do the CORS/CSRF listings match
yes, credentials:true, and the same list of domains for cors/csrf
Would you mind providing us with screenshots / copies of your configuration and the exact URLs you are using to test the application?
export default buildConfig({ serverURL: "https://cms.tengricomics.kz", admin: { user: Admins.slug, }, cors: ["https://dev.tengricomics.kz", "https://staging.tengricomics.kz"], csrf: ["https://dev.tengricomics.kz", "https://staging.tengricomics.kz], collections: [Admins, Users, Pages, Media, Widgets], typescript: { outputFile: path.resolve(__dirname, "payload-types.ts"), }, graphQL: { schemaOutputFile: path.resolve(__dirname, "generated-schema.graphql"), }, globals:["MainMenu"] });app.use( '/assets', express.static(path.resolve(__dirname, './assets')), ); app.use(injectEnvMiddleware); app.use( cors({ origin: [ 'https://dev.tengricomics.kz', 'https://staging.tengricomics.kz', ], credentials: true, }), ); // Redirect root to Admin panel app.get('/', (_, res) => { res.redirect('/admin'); });locally everything works fine, but on deploy the payload-token cookie is not being set on preview
also i tried adding
auth: {
cookies: {
secure: true,
sameSite: 'lax',
domain: '.tengricomics.kz',
},
},
versions: {
drafts: true,
}, to pages config, but in the cookies for
https://cms.tengricomics.kzI see that the payload-token domain is third-level domain, not all subdomains as in the auth object
Now it starts to become pretty hard to debug, especially since I can't even resolve your addresses. Anyway, since the payload documentation doesn't mention setting the cors config yourself on the express app, I would try to leave that out the
app.use(cors({...}))portion as that might affect the payload config. As for the cookie config: I would assume that you need to put a * in front of your domain (so '*.tengricomics.kz'), but it might also help to understand your requirements a bit better.
Continue the discussion in Discord
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.