I know there are tons of CORS related questions but I can't seem to find the answer to this one.
This is my server side golang code (We are using github.com/rs/cors go module): We basically have set of apis that require an authorization header and some apis that don't (think checkout vs checkout as guest functionality)
allowedOrigins := []string{"http://localhost:3000", "http://localhost:3001"}
//allowedHeaders := []string{"Authorization"}
c := cors.New(cors.Options{AllowedOrigins: allowedOrigins, AllowCredentials: true})
handler := c.Handler(r)
What i found is the following:
// if allowcredentials is set to true, then all non auth requests go through but all auth requests return cors error
// if allowedHeaders: authorization is set then all **authenticated and NON authenticated** POST requests fail. GET works fine for both cases.
More specifically: The error I get is that AllowedOrigins is not set (??.. I get this in the PRE-FLIGHT OPTIONS response headers) when I try to execute a POST request and I set the AllowedHeaders:authorization option above.
If I comment that line (As you see above) then the non auth requests go through perfectly and the AllowedOrigins hader is sent back in the OPTIONS request..
CodePudding user response:
Fixed it....
https://github.com/rs/cors
Has a nice CorsOptions Debug:true
. I used that to inspect what was going on and the moment i hardcoded that I allowed Authorization to come into my server then the POST request was complaining afterwards because I was also sending content-type (automatically sent by client (axios), I didn't specify it).. and Server was saying pretty much "I only recognize authorization header"... I added Content-Type
and it now works!
allowedHeaders := []string{"Authorization", "Content-Type"}