Login/Register
CORS-enabled server not denying requests
Asked Answered
Solved node.jsexpresscorsrestify
A

2

9

I am trying to use express Cors with my resitfy server and it doesn't seem to be denying requests coming from other ips. I am working locally so I tried setting origin to a random public ip but all of my requests are still going through

Here is my route:

module.exports = function(app) {
    var user = require('./controllers/userController');
    var cors = require('cors');
    var corsOptions = require('./cors.json');


    app.post('/auth/signup', cors(corsOptions),user.createUser);
    app.post('/auth/login', cors(corsOptions), user.validateUser);
    app.post('/auth/generateKeys', cors(corsOptions), user.generateKeys);
    app.post('/auth/generateToken', user.generateToken);
};

and here is my cors.json file where I have set a random ip:

{
    "origin": "http://172.16.12.123",
    "optionsSuccessStatus": 200,
}

With cors set on the route I can see the following in postman but the request is still going through? I would expect an access denied response.

Access-Control-Allow-Origin →http://172.16.12.123

Alexandrina answered 13/7, 2017 at 0:43 Comment(0)
L
16

CORS configuration on its own isn’t going to cause a server to deny requests. You can’t cause server-side blocking of requests just through CORS configuration.

The only thing servers do differently when you configure CORS support is just to send the Access-Control-Allow-Origin response header and other CORS response headers. That’s it.

Actual enforcement of cross-origin restrictions is done only by browsers, not by servers.

So no matter what server-side CORS configuration you make to a server, the server still goes on accepting requests from all clients and origins it would otherwise; in other words, all clients from all origins still keep on getting responses from the server just as they would otherwise.

But browsers will only expose responses from cross-origin requests to frontend JavaScript code running at a particular origin if the server the request was sent to opts-in to permitting the request by responding with an Access-Control-Allow-Origin header that allows that origin.

That’s the only thing you can do using CORS config. You can’t make a server only accept and respond to requests from particular origins just by doing any server-side CORS configuration. To do that, you need to use something other than just CORS configuration.

Likable answered 13/7, 2017 at 0:52 Comment(2)
Ok, I am building an API with restify and I have a handful of endpoints that I want users to be able to post to but a lot of them I don't. I'm trying to find the best way to control that. I was originally using API keys in the body that both my main app and api knew. Is this a correct approach?Alexandrina
Yes, using API keys in the way you describe sounds like a reasonable way to achieve what you wantLikable
D
4

CORS does not prevent anyone from sending GET or POST requests to your application or exposed API URL.

Instead, it indicates to the web browser that AJAX requests are allowed to this server, from the domain they are executed.

But only AJAX requests executed from a domain are CORS-controlled. Entering the URL in the web browser will not activate CORS: it is not a firewall.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

The order of event is:

  1. Domain A executes AJAX on User's browser to request API URL on Domain B

  2. User's browser sends a basic primary request to target Domain B and checks if CORS are allowed for Domain A

  3. If allowed, AJAX request is executed otherwise null is returned

Destruct answered 13/7, 2017 at 0:51 Comment(3)
Ok, I am building an API with restify and I have a handful of endpoints that I want users to be able to post to but a lot of them I don't. I'm trying to find the best way to control that. I was originally using API keys in the body that both my main app and api knew. Is this a correct approach?Alexandrina
Your users must open a session with your back-end service, and are then returned a session token. They use this session token in all the posts they perform and your back-end server controls the session's validity for all privileged operations. This way you can manage who is allowed to post or not, by authentication first. Don't forghet SSL and use a standard Session ID generation.Destruct
I'm trying to build an app without backend where all data is pulled via ajax. I'll make the call with a token stored in localstorageAlexandrina

© 2022 - 2024 — McMap. All rights reserved.