CORS 'Allow-Credentials' Nodejs/Express

My project is running on Node with an Express backend.

I'm trying to query my Arango database clientside with Arangojs. ArangoDB is running on Docker on Digital Ocean. I have no issues querying my database serverside, however I get the following error on page load:

Failed to load http://0.0.0.0:8529/_db/database/_api/cursor: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is 'false' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:3000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

My code on the clientside js looks like this:

var db = new arangojs.Database({url:'http://0.0.0.0:8529'})
db.useDatabase(dbase)
db.useBasicAuth("database", 'password')
db.query('FOR doc IN docs RETURN doc') // etc. etc.

EDIT: 1 year later in hindsight this question is pretty silly - The correct answer for this is don't expose your database credentials through clientside JS... Communicate with your backend, and have that communicate with your datastore.

Answers:

Answer

You are configuring cors() wrong, you have to use credentials property in order to configure Access-Control-Allow-Credentials:

var cors = require('cors');
var corsOptions = {
    origin: '*',
    credentials: true };

app.use(cors(corsOptions));

Besides that, your app.all(* ... isnt necessary because app.use(cors(corsOptions)); will already handle it for you.

Answer

You must set origin with a "trusted" URL or an array of "trusted" URLs, each with protocol + domain + port when, you configure cors with credentials. origin : '*' is blocked, because using credentials for every origin is too permissive. It is like not using credentials at all.

Tags

Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.