hapi.js Cors Pre-flight not returning Access-Control-Allow-Origin header
Asked Answered
A

2

13

I have an ajax file upload using (Dropzone js). which sends a file to my hapi server. I realised the browser sends a PREFLIGHT OPTIONS METHOD. but my hapi server seems not to send the right response headers so i am getting errors on chrome. here is the error i get on chrome

XMLHttpRequest cannot load http://localhost:3000/uploadbookimg. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.

this is the hapi js route handler

server.route({
        path: '/uploadbookimg',
        method: 'POST',
        config: {
            cors : true,
            payload: {
                output: 'stream',
                parse: true,
                allow: 'multipart/form-data'
            },
        handler: require('./books/webbookimgupload'),
        }
    });

In my understanding hapi js should send all cors headers from the Pre-fight (OPTIONS) request. Cant understand why its is not

Network request /response from chrome

**General**
Request Method:OPTIONS
Status Code:200 OK
Remote Address:127.0.0.1:3000

**Response Headers**
view parsed
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: no-cache
vary: accept-encoding
Date: Wed, 27 Apr 2016 07:25:33 GMT
Connection: keep-alive
Transfer-Encoding: chunked

**Request Headers**
view parsed
OPTIONS /uploadbookimg HTTP/1.1
Host: localhost:3000
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
Access-Control-Request-Headers: accept, cache-control, content-type
Accept: */*
Referer: http://localhost:4200/books/upload
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

Thanks in advance

Appel answered 27/4, 2016 at 8:3 Comment(1)
Try Hapi Cors Header Plugin https://github.com/gr2m/hapi-cors-headers.Duello
S
22

The hapi cors: true is a wildcard rule that allows CORS requests from all domains except for a few cases including when there are additional request headers outside of hapi's default whitelist:

["accept", "authorization", "content-type", "if-none-match", "origin"]

See the cors option section in the API docs under route options:

headers - a strings array of allowed headers ('Access-Control-Allow-Headers'). Defaults to ['Accept', 'Authorization', 'Content-Type', 'If-None-Match'].

additionalHeaders - a strings array of additional headers to headers. Use this to keep the default headers in place.

Your problem is that Dropzone sends a couple of headers along with the file upload that aren't in this list:

  • x-requested-with (not in your headers above but was sent for me)
  • cache-control

You have two options to get things working, you need to change something on either the server or the client:

Option 1 - Whitelist the extra headers:

server.route({
    config: {
        cors: {
            origin: ['*'],
            additionalHeaders: ['cache-control', 'x-requested-with']
        }
    },
    method: 'POST',
    path: '/upload',
    handler: function (request, reply) {

        ...
    }
});

Option 2 - Tell dropzone to not send those extra headers

Not possible yet through their config but there's a pending PR to allow it: https://github.com/enyo/dropzone/pull/685

Spiritualize answered 27/4, 2016 at 13:6 Comment(4)
ok..this worked perfectly, one other solution i found out was was to use the hapi-cors-header plugin npmjs.com/package/hapi-cors-headersAppel
Yes that would work. Wouldn't recommend it though. The strict whitelist is there for a reason (security).Spiritualize
Is there a method of setting the CORS origin for all routes rather than on a route-by-route basis?Longford
@Notamachine Yes it is possible, you can do it by adding it to the server configs, instead of the route config.Laliberte
D
3

I want to add my 2 cents on this one as the above did not fully resolve the issue in my case.

I started my Hapi-Server at localhost:3300. Then I made a request from localhost:80 to http://localhost:3300/ to test CORS. This lead to chrome still blocking the ressource because it said that

No 'Access-Control-Allow-Origin' header is present on the requested resource

(which was not true at all). Then I changed the XHR-Request to fetch the url to a url for which I actually created a route inside HapiJS which - in my case - was http://localhost:3300/api/test. This worked.

To overgo this issue I created a "catch-all" route in HapiJS (to overgo the built-in 404 catch).

const Boom = require('Boom'); //You can require Boom when you have hapi

Route({
  method: '*',
  path: '/{any*}',
  handler: function(request, reply) {
    reply(Boom.notFound());
  }
})
Denominationalism answered 29/9, 2016 at 20:49 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.