ory
`ory proxy` exposes duplicate cors headers when already configured upstream
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
https://goofy-dewdney-rri0sodzzj.projects.oryapis.cojm
Describe the bug
We have a use-case to use the ory proxy auxiliary function to proxy our dev environment locally along with the ory session handler. This enables frontend developers to work on the UI while being authenticated correctly.
The issue arises when upstream services already handle CORS headers for you. The proxy will add it's own CORS headers as part of the proxy middleware, which results in duplicate headers, causing CORS to fail in the browser. The only solution right now was to fork and patch the cli with the following patch.
diff --git a/cmd/cloudx/proxy/proxy.go b/cmd/cloudx/proxy/proxy.go
index a5c9f82..cb57b43 100644
--- a/cmd/cloudx/proxy/proxy.go
+++ b/cmd/cloudx/proxy/proxy.go
@@ -223,6 +223,12 @@ func run(cmd *cobra.Command, conf *config, version string, name string) error {
return body, nil
}),
proxy.WithRespMiddleware(func(resp *http.Response, config *proxy.HostConfig, body []byte) ([]byte, error) {
+
+ // Remove a duplicate Access Control header
+ resp.Header.Del("Access-Control-Allow-Origin")
+ // Remove a duplicate Access Allow Credentuals header
+ resp.Header.Del("Access-Control-Allow-Credentials")
+
l, err := resp.Location()
if err == nil {
// Redirect to main page if path is the default ui welcome page.
@@ -239,17 +245,16 @@ func run(cmd *cobra.Command, conf *config, version string, name string) error {
return nil
}
- var originFunc func(r *http.Request, origin string) bool
- if conf.isDev {
- originFunc = func(r *http.Request, origin string) bool {
- return true
- }
+ originFunc := func(r *http.Request, origin string) bool {
+ return true
}
+ corsOrigins := []string{"http://localhost:3000", "http://localhost:4000"}
+
proto := "http"
addr := fmt.Sprintf(":%d", conf.port)
ch := cors.New(cors.Options{
- AllowedOrigins: conf.corsOrigins,
+ AllowedOrigins: corsOrigins,
AllowOriginRequestFunc: originFunc,
AllowedMethods: corsx.CORSDefaultAllowedMethods,
AllowedHeaders: append(corsx.CORSRequestHeadersSafelist, corsx.CORSRequestHeadersExtended...),
Reproducing the bug
- Have an upstream service that handles CORS headers;
- Run the
ory proxy:ory proxy --dev --project goofy-dewdney-rri0sodzzj $upstream - Access the login url: http://localhost:4000/.ory/self-service/login/browser?return_to=http://localhost:3000
- Login
This will result in you getting redirected to http://localhost:3000/, which will fetch an api endpoint through the proxy. The response of the proxied request will contain duplicate CORS headers, leading to CORS failure in the browser.
Relevant log output
No response
Relevant configuration
No response
Version
Version: v0.3.4 Git Hash: 654e4987a7c0a6111988dccb158541329ec36c9f Build Time: 2024-02-10T10:29:21Z
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Binary
Additional Context
No response
Hey - awesome find! Would you mind creating a PR for this? :) Looks like you already have the diff :)
I am running into the same problem for ory tunnel, what is the current state of this issue?
Didn't have time to fix this unfortunately, but you should be able to apply the patch locally (assuming things didn't change much) and build the binaries. Otherwise a PR fix would be ideal for the maintainers.
I disabled CORS for my Ory project using the Ory CLI and that fixed my problem
ory patch project <your-project-id> \
--replace '/cors_public/enabled=false' \