#NestJS deployed behind traefik returns HTTP 403 Forbidden resource

Hello everyone. I need some guidance for this issue.

I have 2 docker containers, an Angular app and NestJS app, deployed behind traefik. The NestJS app acts as an API.
The headscratchers, at least for me:

1. API endpoints called by the Angular app always returns HTTP 403 Forbidden resource
2. API endpoints called directly using a browser or from Insomnia returns the expected response
3. Attaching a middleware to see the incoming request headers to NestJS app shows that traefik correctly passing the header from the client

I have tried the following:

1. Enable CORS with origin *
2. Set the express 'trusted proxy' to true
   But the issue persists.

Any suggestions are appreciated. Thank you!

Did you enable credentials in your fetch request in your Angular app?
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials

I don't think I did. I used Angular interceptor to append jwt to every request sent to API server. But thanks to your response, I tried to disable firebase jwt guard on the NestJS side, and the app returns the expected response.

So I guess the authorization header somehow did not get parsed by NestJS even if it is there?

Nope. Nevermind me. The long hour got to me. I reviewed the guard code and realized that it's going to return false on any error i.e. HTTP 403 Forbidden resource.

Even if your angular interceptor appends authorization header to every request, the browser won't send it if the request is cross-origin, unless you specify credentials: 'include' on your fetch configuration.

The authorization header got sent to nestjs app since traefik indeed passed the original headers. And since the angular and nestjs are behind the same traefik, they are kind of in the same origin. It's just I'm being dumb. I placed a code in the nestjs guard to parse the jwt and use it to query the user info. That part errored since there's no info for the user.