Next.js Discord

Discord Forum

Random Cors Issue

Unanswered
Rock Wren posted this in #help-forum
Open in Discord
Rock WrenOP
I'm using the app router and have enabled cors for all hosts to certain api endpoints to make them accessible to an electron app. Here is how I did that:

export function OPTIONS() {
  return new Response('', {
    headers: {
      'Access-Control-Allow-Origin': '*',
      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
      'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept, Authorization',
    }
  });
}

export function POST(request: Request) {
  // doin something
  return new Response('', {
    headers: {
      'Access-Control-Allow-Origin': '*',
      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
      'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept, Authorization',
    }
  });
}

The HTTP requests contain an Authorization header with Bearer token

Usually this works fine. But about every 10 to 20 request or so im getting a random cors error. I usually just catch it and send the request again wich works about 9/10 times but I still can't guarantee that the request won't be blocked by cors. How can I fix this?

16 Replies

Toyger
only you can solve that, you need to make it reproducable and check network tab what request looks like.
most likely it's either middleware or you send some forbidden header that not in a list Access-Control-Allow-Headers.
Original message was deleted
Rafael Almeida
deleting this message since that's not allowed
as for the issue, I believe the problem are the requests that you are sending with an authorization header. you can't use 'Access-Control-Allow-Origin': '*' and send a request with credentials at the same time as this violates one of the rules of CORS
ideally you shouldn't be trying to bypass CORS in electron, I believe the correct way would be sending the requests with the Node.js process running in Electron through IPC. here's an article explaining it: https://m-t-a.medium.com/avoiding-cors-in-electron-sending-requests-through-ipc-28ad9407aac0
@Toyger only you can solve that, you need to make it reproducable and check network tab what request looks like. most likely it's either middleware or you send some forbidden header that not in a list `Access-Control-Allow-Headers`.
Rock WrenOP
That's the issue I'm not able to reproduce it, it's kind of Schrödingers Request, it sometimes fails and sometimes the exact same request goes through.
@Rafael Almeida deleting this message since that's not allowed
Rock WrenOP
Sorry about that 🙂
Rafael Almeida
no idea, you would need to provide some examples of the failing requests otherwise it would be just a guessing game
@Rock Wren All right thanks already!
Blanc de Hotot
hello mate sry for disturb, I'm having the same issue but using tauri, did u solve it?
@Blanc de Hotot hello mate sry for disturb, I'm having the same issue but using tauri, did u solve it?
Rock WrenOP
I have partly resolved the issue by modifying the headers on the node side
However now I'm getting a 405 with the first request. When I send the exact same request (using browser fetch) again it succeeds. See screenshot for differences in headers.
What confuses me is the x-matched-path. Why is it 500 on the first request?
The request url is exactly the same by the way