0

I'm working on Vue Storefront project(Nuxt.js front-end, Express.js back-end).

I send information from my front-end which I then receive in the Express.js server. The path the information follows is a Home.vue file --> a Nuxt Plugin.js file --> and the a middleware file which is on the Express.js side of the app. (all these files are inside one and the same project).
The middleware will do a POST-request to an external API using Axios. The information will then return to the front-end for the user to be seen.

The problem is that I have an CORS issue, which will most likely be caused because the API does not accept my domain and thus throws the CORS-error at the OPTIONS-request, never sending the POST after that. The thing is that I have Server Side Rendering enabled in the nuxt.config.js, my app and the API are on the same server. But still I get the CORS-error. On top of that, all the Secret keys can be seen in the network tab, which I think is weird because I have hosted my app on my server, and in `nuxt.config.js I've set the following settings:

export default () => {
  const baseConfig = {
    ssr: true, // default value is true
    target: 'server', // default is 'server'
...

The these keys come from Environment Variables on the server, not from a hosted .env file.

How can I hide these Secret keys, and possibly fix the CORS error?

CORS error: Access to XMLHttpRequest at 'API.com' from origin 'MyhostedApp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

CORS error with CORS-browser extension: Access to XMLHttpRequest at 'API.com' from origin 'MyhostedApp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Axios request in my Middleware:

var authBodyFormData = new FormData();
authBodyFormData.append("required_Data", process.env.SAMPLE_ENV_VAR);
async function getAuthtoken() { 
  try {
    const res = await axios({
      method: "post",
      headers: {
        'Access-Control-Allow-Origin': '*',
        "Content-Type": "application/x-www-form-urlencoded" 
      },
      url: process.env.AUTH_URL,
      data: authBodyFormData,
    });
    return response?.data ?? undefined;
  } catch (e) {
    console.warn(e);
  }
}

Browsers request:

**General:**
Request URL: API.com
Referrer Policy: strict-origin-when-cross-origin

**Request Headers:**
Provisional headers are shown Learn more
Accept: application/json, text/plain, */*
Access-Control-Allow-Origin: *
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8fuAlA3VfBtdUPym
Referer: MyhostedApp.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
kissu
  • 40,416
  • 14
  • 65
  • 133
Craws
  • 576
  • 4
  • 30
  • 1
    Please share the CORS error that you get. – Heiko Theißen May 27 '22 at 10:39
  • Added it under my post – Craws May 27 '22 at 10:47
  • You wrote that "The middleware will do a POST-request to an external API using Axios". But the CORS error sounds as if the request is made by the frontend (that is, the browser). Can you share the relevant parts of your middleware? – Heiko Theißen May 27 '22 at 11:00
  • @HeikoTheißen I will also add that code to my post. I'm kinda new to all this so I mist have made a mistake in my request – Craws May 27 '22 at 11:02
  • The CORS error is logged in your browser's console, right? Can you share the request that the _browser_ makes which triggers this error? And since this seems about authentication, please check if [this answer](https://stackoverflow.com/a/72392743/16462950) helps you. – Heiko Theißen May 27 '22 at 11:16
  • Yes, thats right. The request the browser makes is a POST request to fetch a Bearer token, but automatically starts a OPTIONS request before that. Nevertheless, the request of the POST is also added to my post – Craws May 27 '22 at 11:24
  • 1
    But in order to fetch a bearer token (via Authorization Code flow, I assume), the user must first choose and confirm their (Google, Microsoft, or whatever) account, and this cannot be done via XMLHttpRequest. See [this answer](https://stackoverflow.com/a/72392743/16462950). – Heiko Theißen May 27 '22 at 11:26
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/245101/discussion-between-craws-and-heiko-theissen). – Craws May 27 '22 at 11:45

1 Answers1

1

CORS is totally unrelated to your Nuxt configuration, more details are available here.
TDLR: fix those on your backend (several answers are available in the given link above).

Nuxt is a Vue app on steroids with some SSR or SSG. It is not supposed to replace an Express server or alike. Also, one important thing to understand is that env variables are available but private ones will only be available on the server (like the initial render or when building/generating the app). The values of target and ssr are totally irrelevant here because it's a backend configuration issue anyway.

After the initial render, your Nuxt app will behave mostly like a Vue app and all the subsequent navigations will be client-side. Hence, all the HTTP calls will be publicly available (this is how a frontend app works).

If you want to hide some stuff (no real need usually), you could make some calls to a backend who will pass the sensitive tokens and so to the real backend, somewhat like a middleware backend.

The these keys come from Enviorment Variables on the server, not from a hosted .ENV file.

This is exactly the same, there is no difference between both because they are basically the same thing.

The thing is that I have Server Side Rendering enabled in the nuxt.config.js, my app and the API are on the same server.

The target: 'server' doesn't change anything here, since it's related to how page generation is made, it's not a "could you make all of the call on the server please?", as explained here.

Also, if you have the Nuxt app and the API in the same place, you still need to enable the CORS there since you will loopback on the same host.

If you have your API at yolo.com, and the Nuxt app is also located a yolo.com, you still need to tell to your Express app that you need to allow any calls coming from yolo.com to your API endpoint.

kissu
  • 40,416
  • 14
  • 65
  • 133