CORS with credentials throwing "Access-Control-Allow-Origin' header in the response must not be the wildcard *"

Serverless Framework
,
1

I am working with a Serverless deployment that proxies everything to Express for handling. I am trying to save a JWT in a secure cookie for API access. When I add credentials though, I get the following error:

Access to XMLHttpRequest at 'https://api.mysite.co/users/login' from origin 'https://app.mysite.co' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Here is my serverless.yml file code:

functions:
  app:
    handler: app.handler
    events:
      - http:
          path: /
          method: any
          cors:
            origin: 'https://app.mysite.co'
            allowCredentials: true
      - http:
          path: '{proxy+}'
          method: any
          cors:
            origin: 'https://app.mysite.co'
            allowCredentials: true

Also here is my CORS setup within express:

app.use(
  cors({
    orgin: 'https://app.mysite.co',
    credentials: true,
  }),
);

The preflight OPTIONS request works fine and responds with these headers:

    1. access-control-allow-credentials:

    true

    2. access-control-allow-headers:

    Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent

    3. access-control-allow-methods:

    OPTIONS,DELETE,GET,HEAD,PATCH,POST,PUT

    4. access-control-allow-origin:

    https://app.mysite.co

    5. content-length:

    0

    6. content-type:

    application/json

    7. date:

    Fri, 22 Feb 2019 19:47:53 GMT

    8. status:

    200

    9. via:

    1.1 fa6a26613abf7b82a2d399c330c31b47.cloudfront.net (CloudFront)

    10. x-amz-apigw-id:

    VhG8bGmPIAMFmNw=

    11. x-amz-cf-id:

    fMgIxswJbs86xTr7b7M8453dPHCMNVNCA5fSOmrE-9t11hAWY4Hhyw==

    12. x-amzn-requestid:

    be1cce20-36da-11e9-8bca-61faed0f2ff0

    13. x-cache:

    Miss from cloudfront

But when the POST request is made it throws the error and gives these headers:

1. access-control-allow-credentials:

true

2. access-control-allow-origin:

*

4. content-length:

43

5. content-type:

application/json; charset=utf-8

6. date:

Fri, 22 Feb 2019 19:47:54 GMT

7. etag:

W/"2b-c0t4OGtLVpPiUjXeADvGBWU1XEk"

8. status:

200

9. strict-transport-security:

max-age=15552000; includeSubDomains

10. via:

1.1 8bbf72e941cf5b676089162d6282d373.cloudfront.net (CloudFront)

11. x-amz-apigw-id:

VhG8cE9ooAMFlgg=

12. x-amz-cf-id:

ueGHXY-IJuZt6Nrjqa6oMcA6-CIAF3m55ByB-Boyk5wzWzryQ-KVDg==

13. x-amzn-remapped-content-length:

43

14. x-amzn-requestid:

be2496f8-36da-11e9-8a62-a983489ce0af

15. x-amzn-trace-id:

Root=1-5c7051e9-2cd7ef455ebaa3c7b7856ee3;Sampled=0

16. x-cache:

Miss from cloudfront

17. x-content-type-options:

nosniff

18. x-dns-prefetch-control:

off

19. x-download-options:

noopen

20. x-frame-options:

SAMEORIGIN

21. x-xss-protection:

1; mode=block

Does anyone have any ideas why the POST request would come back with a wildcard?

Thanks.

3

I was having the same issue but was missing the serverless.yml config.

I’m using apollo-server-lambda although is similar config to express cors wise.

const handler = graphqlServer.createHandler({
  cors: {
    origin: 'https://mydomain.com',
    credentials: true,
  },
})

graphql:
  handler: src/lambda.graphqlHandler
  events:
  - http:
      path: graphql
      method: post
      cors:
        origin: 'https://mydomain.com'
        allowCredentials: true
4

I think your problem may just be orgin typo?

app.use(
  cors({
    // orgin: 'https://app.mysite.co',
    origin: 'https://app.mysite.co',
    credentials: true,
  }),
);
5

how to allow multiple origin

6

Is there a way to leave the handling of the OPTIONS method to the express app and bypass serverless.

I tried

    handler: some/lambda.handler
    events:
      - http:
          method: OPTIONS
          path: some/{Proxy+}
      - http:
          method: ANY
          path: some/{Proxy+}

Working locally with serverless-offline this works. But it does not seem to be working on the actual server.