I know there are tons of CORS related questions but I can't seem to find the answer to this one.

This is my server side golang code (We are using github.com/rs/cors go module): We basically have set of apis that require an authorization header and some apis that don't (think checkout vs checkout as guest functionality)

allowedOrigins := []string{"http://localhost:3000", "http://localhost:3001"}
//allowedHeaders := []string{"Authorization"}
c := cors.New(cors.Options{AllowedOrigins: allowedOrigins, AllowCredentials: true})
handler := c.Handler(r)

What i found is the following:

// if allowcredentials is set to true, then all non auth requests go through but all auth requests return cors error

// if allowedHeaders: authorization is set then all **authenticated and NON authenticated** POST requests fail. GET works fine for both cases.

More specifically: The error I get is that AllowedOrigins is not set (??.. I get this in the PRE-FLIGHT OPTIONS response headers) when I try to execute a POST request and I set the AllowedHeaders:authorization option above.

If I comment that line (As you see above) then the non auth requests go through perfectly and the AllowedOrigins hader is sent back in the OPTIONS request..

CodePudding user response：

Fixed it....

https://github.com/rs/cors 

Has a nice CorsOptions Debug:true. I used that to inspect what was going on and the moment i hardcoded that I allowed Authorization to come into my server then the POST request was complaining afterwards because I was also sending content-type (automatically sent by client (axios), I didn't specify it).. and Server was saying pretty much "I only recognize authorization header"... I added Content-Type and it now works!

allowedHeaders := []string{"Authorization", "Content-Type"}