CORS header Allow-Origin missing in POST requests

Issue

I know there are tons of CORS related questions but I can’t seem to find the answer to this one.

This is my server side golang code (We are using github.com/rs/cors go module):
We basically have set of apis that require an authorization header and some apis that don’t (think checkout vs checkout as guest functionality)

allowedOrigins := []string{"http://localhost:3000", "http://localhost:3001"}
//allowedHeaders := []string{"Authorization"}
c := cors.New(cors.Options{AllowedOrigins: allowedOrigins, AllowCredentials: true})
handler := c.Handler(r)

What i found is the following:

// if allowcredentials is set to true, then all non auth requests go through but all auth requests return cors error

// if allowedHeaders: authorization is set then all **authenticated and NON authenticated** POST requests fail. GET works fine for both cases.

More specifically: The error I get is that AllowedOrigins is not set (??.. I get this in the PRE-FLIGHT OPTIONS response headers) when I try to execute a POST request and I set the AllowedHeaders:authorization option above.

If I comment that line (As you see above) then the non auth requests go through perfectly and the AllowedOrigins hader is sent back in the OPTIONS request..

Solution

Fixed it….

https://github.com/rs/cors 

Has a nice CorsOptions Debug:true. I used that to inspect what was going on and the moment i hardcoded that I allowed Authorization to come into my server then the POST request was complaining afterwards because I was also sending content-type (automatically sent by client (axios), I didn’t specify it).. and Server was saying pretty much "I only recognize authorization header"… I added Content-Type and it now works!

allowedHeaders := []string{"Authorization", "Content-Type"}

Answered By – Kevin Cohen

Answer Checked By – Cary Denson (GoLangFix Admin)

Leave a Reply

Your email address will not be published.