Cross origin request explained

If You are a developer getting started or have played with frontend as well as backend development for some time now then you must have faced issues with CORS a lot of the time. and I guess by now you must have known how to solve them. If you have not then follow along and you will know the reason why it is occuring and how to resolve it. If you already know how to solve it but don't understand the theory and reason behind what you do in order to solve it then you are in the right place. If you are a backend developer then you might have also heard a lot of your frontend guys ask you to enable CORS.
For a frontend dev, the typical error you get is this.
Access to fetch at 'http://localhost:3000/' from origin 'http://localhost:3001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
In the above snippet, localhost is just a local domain and can be any domain depending on where you are working.

Now let's suppose you have build an API whatever language you use doesn't matter. for the purpose of this exercise, you will find nodejs snippets for mocking of our API response.
Assuming an endpoint in nodejs is to support a simple get and post request 



require('dotenv').config()



const express = require('express')



const bodyParser = require('body-parser')



const fetch = require('node-fetch')



const path = require('path')



const app = express()



const port = 3000



app.use(bodyParser.urlencoded({ extended: true }))



app.use(bodyParser.json())



// example API call to naza api for image of the day



app.get('/', async (req, res) => {



    try {



        let image = await fetch(`https://api.nasa.gov/planetary/apod?api_key=${process.env.API_KEY}`)



            .then(res => res.json())



        res.send({ image })



    } catch (err) {



        console.log('error:', err);



    }



})



//  API call for the persons



app.post('/persons', async (req, res) => {



    let matricule = req.body.matricule



    let person = {



        name: "Harisu",



        gender: "Male",



        Tel: '+237675955931',



        email: 'fanyuiharisu@gmail.com'



    }



    res.send(person)



})



app.listen(port, () => console.log(`Example app listening on port ${port}!`))

If we run this code and locally then we expect to get the response object of the image of the day from Naza at the / endpoint by making a get request. however, if you use a frontend technology or and application that runs on the browser, you will get the typical CORS error explained above.

The example below uses react to make a fetch to the backend.



import React, { useEffect, useState } from 'react';



import './App.css';



function App() {



    const [innitial, setInitial] = useState()



    const [person, setPerson] = useState()



    useEffect(() => {



        async function FetchData() {



            const resp = await fetch('http://localhost:3000')



            const result = await resp.json()



            setInitial(result)



        }



        FetchData()



    }, [])



    const submit = async () => {



        const response = await fetch('http://localhost:3000/persons', {



            method: 'POST', // *GET, POST, PUT, DELETE, etc.



            headers: {



                'Content-Type': 'application/json'



            },



            body: JSON.stringify({ matricule: "FE!$A)(4" })



        })



        const result = await response.json();



        setPerson(result)



    }



    return (



        <div className="App">



            <button onClick={submit}> Post Request</button>



        </div>



    );



}



export default App;

Unfortunately what we get it this
What does it mean and why can't we fetch data from our API?. The answer to this question will be given.

Note that if you make this same request with postman you will get a response back and everything will work normally.
This is the same request with postman

Why can't we fetch data from our API?

The answer is what is known as.
  1. Same-origin request policy:  It is enabled by default on all browsers
  2. Need to configure cross-origin request policy on the API

Same Origin Request policy:

What we mean here is that When our browser download a javascript file, it remembers from where(domain) it downloaded the file. So for the case above, It knows that it downloaded the code from http://localhost:3001 Later on in the browser when this javascript code tries to make a request to another domain which is not http://localhost:3001 In our case http://localhost:3000, the request is blocked.
The diagram below represents what happens
.


To be more specific,
The javascript code does not directly sends the request to the API instead the browser sits in between the code and the API, which means the browser is the one that performs the actual request it receives the request it needs to send from the js code then add some additional headers(origin) to it and forwards it to the API. now when the API returns or response, the response as well is not directly available to the code it is again intercepted by the browser and this time around the browser looks for a particular header and if it notices that the request went to a different domain, it again checks for that particular header and if it's absent it will block the response data. As such in other to combat this, we the developers need to update the API to respond with that particular header which the browser will be looking for(Access-Control-Allow-Origin.

New Updated Diagram.



Once our API response with a header having the access-control-allow-origin then the browser can now allow the response to reach the JS code depending on the value of the access-control-allow-origin

Access-Control-Allow-Origin Values

Access control allow origin header is allowed to have any of the two possible values 
  1. wild card "*" for all domain ie any js file downloaded from anywhere on the net can make request to this API and get response.
  2. `hostname: port`  limit only a particular domain to access the API
Note: This CORS issue we are discussing is basically affecting only the browser. Tools like postman are not affected.
For our example express code, it's as easy as adding the line below to the request.

res.header('Access-Control-Allow-Origin', "*")
Now when you perform the same get request you get the response with the header as follows
in postman and in our react app the CORS error is gone Also not that the line above should
the first line in the function that processing the get request.



Everything seems to be working just fine with the GET method. Now if you try and click on the button for our example code which is supposed to make a post request you still get CORS error even after adding the Access control allow origin line to the post method. Why is this, We will be answering it below.
You might think we already configured CORS but the thing is some requests need more level of configuration example post and delete method. When you make a post request or a delete request the browser intercepts and makes what is known as a preflight request. This request by default uses the options method specifying the intention of our request Access-control-request-method. ie it says our code is about to make a post request to the specified endpoint and in return, the browser is expecting the API to respond with another type of header this time around its expecting to receive the Access-Control-Allow-Origin header and the Access-Control-Allow-Methods as well as the Access-Control-Allow-Headers.
When the browser receives the above two headers from the preflight request, It then goes ahead to make the actual post request and the API response with the data alongside the Access-Control-Allow-Origin:* header are returned.

To solve the above-identified issue, we should add an option method that will respond to the preflight request typically it looks like the following the below code is nodejs express but the same 
idea works for other languages.

app.options("/*", function (req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');
res.send(200);
});

The above code will always respond to the preflight request and then the browser will be able to now make the actual request. After adding the above code we now have a successful request on our react app with the following

This concludes our post about CORS Explained.

Watch out.

This article gives you just an explanation of how and why things happen the way they do happen when it comes to CORS and not just fixing the CORS errors with a package.
In a production environment, you will want to use a CORS package and do the configuration using the package but you could also with the knowledge gained from this post write your own middleware to handle CORS in your application.

Comments

Post a Comment

Popular posts from this blog

Algorithm Design A Call For Concern To Software Engineers

Image
Algorithms in its entirety are often misunderstood and misinterpreted by most of the software engineers or developers. Technically every software or program you develop does use an algorithm and in most cases brute-force that is the obvious solution and at times the easiest. In computer science and software engineering, the concern is in solving problems and any problem that needs to be solved requires a solution in a finite amount of time and using the smallest amount of resources as possible.  In this post is the discussion about the importance and need for a software engineer to be able and capable of designing a good algorithm in his or her software development lifetime. This post will also go further to demonstrate on the side effects that you as a developer have without basic knowledge of algorithms,  the software that you build and the community that uses the software you build. Importance of good algorithm design. Algorithm design is important because They make your prog
Read more

Week Twelve

Image
Week 12. This week commenced and i fully worked on making sure all the hanging pull request with respect to the core have been merged and closed. I accomplished these by hastening up my speed in fixing reviews, then i created new branches called general fix where all the light works related to renaming adding exception modifying exception messages and as well writing tests. Rest webservice. After sucessfully finishing with the core and everything merged, I went straight away to the  rest webservice module where i added 2 endpoint to handle the get with provided activation and a post with new credentials  password and activation key. this i did before consulting my mentor and  after consulting him. There was alot of other design changes such. i had to send and email message to my two mentors ie primary mentor and backup mentor. I also posted on talk here   from this talk post i received many criticism and all of them were positively to my benefits in finishing up with the rest web
Read more

A health wise peep into the life of a home based developer

First look at the lifestyle of a developer: Basically, a home-based developer though it applies to an office developer. It all begins with the lifestyle of the individual. Haven lived in this lifestyle and among other developers who equally lived a similar lifestyle, I can say the following.  Most developers take it as a lifestyle in that skipping breakfast is the order of the day and telling you that the last meal they take was maybe yesterday afternoon is a common wording that you can hear. This is not because they don’t have the means to get the food but most times because they neither felt hungry nor hadn’t any time to look for something and eat. This even goes further when they happened to get something and eat they eat what is termed junk food. Here I mean they go for what is readily available and takes less effort to acquire. They end up with things like bread, or just carbohydrate food. That is if we are to qualify it as food then they might spend their remaining time tak
Read more