vader:VTAg nick$ npm view "restify-cors-middleware" version
1.1.0
vader:VTAg nick$ npm view "restify" version
6.3.4
Despite specifying either a single value for the "origins" array in the config, no value, or '*' ... the only outcome I see is my requests getting EITHER multiple allowed values (ORIGIN, *) or no allowed values. Either way, the site fails to load because both options are illegal.
var router = require("./router");
var config = require("./config");
var restify = require('restify');
var fs = require('fs');
var helmet = require('helmet');
var corsMiddleware = require('restify-cors-middleware')
var CORS = corsMiddleware(
{
origins: ['https://vtag-local.stone-env.net:3000'],
allowHeaders: ['*']
}
)
var ONE_YEAR = 31536000000;
// Setup some https server options
var https_options = {
key: fs.readFileSync(config.certificate),
certificate: fs.readFileSync(config.certificate),
ciphers: [
"ECDHE-RSA-AES256-SHA384",
"DHE-RSA-AES256-SHA384",
"ECDHE-RSA-AES256-SHA256",
"DHE-RSA-AES256-SHA256",
"ECDHE-RSA-AES128-SHA256",
"DHE-RSA-AES128-SHA256",
"HIGH",
"!aNULL",
"!eNULL",
"!EXPORT",
"!DES",
"!RC4",
"!MD5",
"!PSK",
"!SRP",
"!CAMELLIA"
].join(':'),
honorCipherOrder: true
};
var setupServer = function(app) {
app.pre(CORS.preflight);
app.pre(restify.pre.userAgentConnection());
app.use(restify.plugins.bodyParser());
app.use(restify.plugins.queryParser());
//app.use(restify.CORS());
app.use(restify.plugins.fullResponse());
app.use(helmet.hsts({
maxAge: ONE_YEAR,
includeSubdomains: true,
force: true
}));
app.use(CORS.actual);
require("./router.js")(app);
};
var appSSL = restify.createServer(https_options);
setupServer(appSSL);
appSSL.listen(config.portSSL, config.ip, function () {
console.log("Listening on " + config.ip + ", port " + config.portSSL)
});
FTR I have tried commenting out the various other parts of my server .pre and .use setup. Removing them did not seem to make things any better or worse regarding CORS.
In my router I have code called for each route that was handling CORS headers, but now seems to interact badly with the new middleware... so I've commented it out. I thought at first that my setting the Access-Control-Allow-Origin here was screwing up the restify-cors-middleware, but even after removing it, I'm still getting multiple Access-Control-Allow-Origin values...
function setupCORSCrap(req, res, next) {
console.log('----{ Setting CORS headers }----');
//res.setHeader('Access-Control-Allow-Origin', '*');
//res.setHeader('Access-Control-Allow-Headers', 'Authorization, Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token');
//res.setHeader('Access-Control-Allow-Methods', '*');
//res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
///res.setHeader('Access-Control-Max-Age', '1000');
console.log('.____. headers set .____.');
return next();
}
It seems like the primary issue revolves around the middleware automatically inserting the ORIGIN into the header... but seemingly not removing whatever was in there already.
Failed to load https://vtag-local.stone-env.net:8443/login: The 'Access-Control-Allow-Origin' header contains multiple values 'https://vtag-local.stone-env.net:3000, *', but only one is allowed. Origin 'https://vtag-local.stone-env.net:3000' is therefore not allowed access.
This all worked fine for me until I upgrade Restify and had to stop using "restify.CORS()" ...
Despite specifying either a single value for the "origins" array in the config, no value, or '*' ... the only outcome I see is my requests getting EITHER multiple allowed values (ORIGIN, *) or no allowed values. Either way, the site fails to load because both options are illegal.
FTR I have tried commenting out the various other parts of my server .pre and .use setup. Removing them did not seem to make things any better or worse regarding CORS.
In my router I have code called for each route that was handling CORS headers, but now seems to interact badly with the new middleware... so I've commented it out. I thought at first that my setting the Access-Control-Allow-Origin here was screwing up the restify-cors-middleware, but even after removing it, I'm still getting multiple Access-Control-Allow-Origin values...
It seems like the primary issue revolves around the middleware automatically inserting the ORIGIN into the header... but seemingly not removing whatever was in there already.
This all worked fine for me until I upgrade Restify and had to stop using "restify.CORS()" ...