Hi Bryan,

Thank you. I've replied directly with output from curl.

Best,

Dan

• 
  

On Fri, Jun 26, 2015 at 7:45 PM, Thomas Wunderlich <[address removed]> wrote:

Like Dan, I'm not familiar with the gems you're using, but to get a CORS error, you have to be doing a client-side request. CORS is designed to prevent javascript requests from one domain to another. In the same vein, CRSF attacks are javascript attacks that are used to hijack a user's legitimate session. My guess is that instead of doing a client-side GET/POST/etc the request is being interpreted as a client-side request

Best,
Thomas Wunderlich

On Fri, Jun 26, 2015 at 7:19 PM, Bryan White <[address removed]> wrote:

Hey Dan,

I can't say I've worked with this exact stack but I have worked with several projects that use CORS and battle the same-origin-policy other ways as well.

It's been my experience that when you see a missing allow-origin header when there clearly should be one in the response of a rails app (i.e. esp. in the case where you're setting it via `default_headers`) that the request didn't make it all the way through the middleware stack before a response was generated; often this is due to an error in the rails app. 

I'd be curious to know what the status code of the response of your request is if you hit it with a non-browser using the same request. In chrome dev-tools, under the network tab, you can right-click on a request and select "copy as cURL". Then pate that into your terminal. Also, I'm curious if you're seeing the browser send a "pre-flight" request with the options method or not and if so, what's the status of that response. If the preflight request is failing you likely have a routing error.

I hope that helps at least eliminate some possibilities if not solving your problem. If you'd like to reply with that info I'd be more than happy consider it further.

On Fri, Jun 26, 2015 at 10:38 PM Dan <[address removed]> wrote:

Hi,

I hope that someone on this mailing list can help me!

Summary:

I'm trying to authenticate with Facebook and Google from React app via Rails API.

My app runs on localhost:8080 and my api runs on localhost:3000.

I'm able to login to both facebook and google and create a session on callback, but the initial request (auth/:provider) results in an error.

This is a server-side call to Facebook and Google. Both results in same error. So the problem isn't on Facebook or Google configuration, but on my side.

I think that the problem is somewhere in my configuration of omniauth or rack-cors. I suspect that omniauth somehow clears the Access-Control-Allow-Orgin header.

Earlier, I received the error csrf-detected, but this was resolved by adding provider_ignores_state: true to omniauth configuration.

I'm getting this error:

XMLHttpRequest cannot load https://www.facebook.com/dialog/oauth?client_id=
[client_id]&redirect_ur…il%2C+user_birthday&state=[state]. No 'Access-Control
-Allow-Origin' header is present on the requested resource. Origin 'null' is
therefore not allowed access.

I tried without rack-cors and simply added these lines to my application_.rb:

    config.action_dispatch.default_headers = {
      "Access-Control-Allow-Origin" => "*",
      "Access-Control-Request-Method" => "*",
      "Access-Control-Allow-Methods" => "POST, PUT, DELETE, GET, OPTIONS",
      "Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, Accept, Authorization",
      "Access-Control-Max-Age" => "[masked]",
      "X-Frame-Options" => "http://localhost"
    }

this resulted in this error message:

XMLHttpRequest cannot load http://localhost:3000/api/auth/google_oauth2. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.

Slightly different, but same problem. Access-Control-Allow-Origin header is AWOL.

I have also posted the problem here:

http://stackoverflow.com/questions/31032474/csrf-issue-with-rails-4-omniauth-facebook-rack-cors

and here: https://github.com/intridea/omniauth/issues/814

Thanks!


Regards,
Dan Jensen

www.fitbird.com
E-mail [address removed]
Mobile [masked] (USA)
www.linkedin.com/in/danjensen/

--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Dan ([address removed]) from NYC.rb.
To learn more about Dan, visit his/her member profile
To report this message or block the sender, please click here
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]

--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])

This message was sent by Bryan White ([address removed]) from NYC.rb.
To learn more about Bryan White, visit his/her member profile
To report this message or block the sender, please click here
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]

--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])

This message was sent by Thomas Wunderlich ([address removed]) from NYC.rb.
To learn more about Thomas Wunderlich, visit his/her member profile
To report this message or block the sender, please click here
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, POB 4668 #37895 NY NY USA 10163 | [address removed]