#CORS issues despite setting configuration

Strangely I am only seeing this issue in my local environment, my remote production setup works fine. I'm using entirely out of the box backend and admin, running backend the with docker-compose along with Redis and Postgres on the same docker network. I pass the following env vars into my medusa backend container:

environment:
      NODE_ENV: development
      STORE_CORS: http://localhost:9500,http://127.0.0.1:9500
      ADMIN_CORS: http://localhost:9501,http://127.0.0.1:9501
      DATABASE_URL: postgres://postgres:postgres@db:5432/dbname
      REDIS_URL: redis://cache:6379
      JWT_SECRET: local_jwt_secret
      COOKIE_SECRET: local_cookie_secret
      PORT: 8080

And I launch the admin UI with the command vite --port 9501 which can then successfully be accessed by either of the of the provided ADMIN_CORS urls.

The error in the web console I am receiving is:

Access to XMLHttpRequest at 'http://localhost:9502/admin/auth' from origin 'http://localhost:9501' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

while attempting to login to the admin panel. The same errors occur with respective ports on my store front however my storefront is custom built so I avoid focusing on that for now as it could contain user error. This however is more or less a fresh clone of the medusa admin repo + a very simple medusa docker container with no custom edits and which has already proven to work properly in remote environment.

I also shelled into the local backend container and echod the ADMIN_CORS var and its properly set, I also attempted with other variations with and without the , delimiter. Actually I had more luck when I was routing via local NGINX.

Dockerfile:

FROM node:18-alpine
WORKDIR /app

RUN apk update && apk add python3 bash && rm -rf /var/cache/apk/*
RUN npm install -g babel-cli

COPY package.json yarn.lock ./
RUN yarn install
COPY . .

ENTRYPOINT ["/app/develop.sh"]

develop.sh:

#!/bin/bash
yarn run medusa migrations run
yarn run medusa seed -f ./data/seed.json
yarn run medusa develop

My main question is why would the server ever be returning wildcard header if I have verified the ENV VAR is set in the container???

I don't think there's anything by default in medusa core that will set wildcard as header. Even if env var is not provided, it would default to localhost:8000 and localhost:7000 . Maybe something on your side?

As I said, I've made no customizations to the Medusa backend code. The Medusa code is downloaded via yarn install using the following dependency packages:

    "@medusajs/medusa": "^1.6.0",
    "@medusajs/medusa-cli": "^1.3.3",
    "medusa-file-spaces": "^1.3.5",
    "medusa-fulfillment-manual": "^1.1.31",
    "medusa-interfaces": "^1.3.3",
    "medusa-payment-manual": "^1.0.16",
    "medusa-payment-stripe": "^1.1.45",
    "typeorm": "^0.2.36"

and then the deployment script is as is listed above, simple, migrate, seed, develop. Nothing really to it. I also can't explain how it works in remote environment using my actual domain passed in the same way.

cURL works fine:

riggy@waystone ~ % curl --request GET \
  --url http://localhost:9502/store/regions \
  --cookie connect.sid=s%253AT0L2K8PPrYY_M1kaWSaXqxKbOqOhsOIJ.8UdDUQOGLyc6iTTHTi78i1ZXUtOok4a0Oml840psTjo
{"regions":[{"id":"reg_01GVTJ8TTD1YDJ8D1BX1313SYN","created_at":"2023-03-18T14:34:10.059Z","updated_at":"2023-03-18T14:34:10.059Z","deleted_at":null,"name":"NA","currency_code":"usd","tax_rate":0,"tax_code":null,"gift_cards_taxable":true,"automatic_taxes":true,"tax_provider_id":null,"metadata":null,"countries":[{"id":236,"iso_2":"us","iso_3":"usa","num_code":840,"name":"UNITED STATES","display_name":"United States","region_id":"reg_01GVTJ8TTD1YDJ8D1BX1313SYN"},{"id":39,"iso_2":"ca","iso_3":"can","num_code":124,"name":"CANADA","display_name":"Canada","region_id":"reg_01GVTJ8TTD1YDJ8D1BX1313SYN"}],"payment_providers":[{"id":"manual","is_installed":true}],"fulfillment_providers":[{"id":"manual","is_installed":true}]}]}

where as the request is blocked in browser:

Access to XMLHttpRequest at 'http://localhost:9502/store/regions' from origin 'http://127.0.0.1:9500' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Browser Request details:

General:
Request URL: http://localhost:9502/store/regions
Request Method: GET
Status Code: 404 Not Found
Referrer Policy: strict-origin-when-cross-origin

Response Headers:
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 0
Date: Sat, 18 Mar 2023 14:34:54 GMT
Keep-Alive: timeout=5

Request Headers:
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Host: localhost:9502
Origin: http://127.0.0.1:9500
Referer: http://127.0.0.1:9500/
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36

There is indeed a wildcard being returned.

Looks like default configuration for express cors is actually wildcard.
https://expressjs.com/en/resources/middleware/cors.html

So I'm guessing somehow the variables are not passed

Are you sure in medusa-config the cors settings are passed?

Yea i actually just dipped into the node_modules package for @medusajs/medusa/dist/api/routes/store/index.js which corresponds to this file: https://github.com/medusajs/medusa/blob/master/packages/medusa/src/api/routes/store/index.js#L29
and console logged console.log(config) right before route.use(cors(... is called and it printed:

api    | {
api    |   jwt_secret: 'local_jwt_secret',
api    |   cookie_secret: 'local_cookie_secret',
api    |   redis_url: 'redis://cache:6379',
api    |   database_url: 'postgres://postgres:postgres@db:5432/dbname',
api    |   database_extra: {},
api    |   database_type: 'postgres',
api    |   store_cors: 'http://localhost:9500,http://127.0.0.1:9500',
api    |   admin_cors: 'http://localhost:9501,http://127.0.0.1:9501'
api    | }

So I'm quite certain that the origin is being set in the cors lib

Yeah that's the same file I checked couple of minutes ago. But otherwise it would be an empty string as this line suggests.

I have only found this guy having such issue and looks like he has just started over: https://github.com/medusajs/medusa/issues/446#issuecomment-1086855955
I'm not sure where from does this wildcard come

and he had just issues with POST requests, not GET

yea just to be absolutely sure I printed the value that was being passed into origin and its:
[ 'http://localhost:9500', 'http://127.0.0.1:9500' ]

I'm experieince issues with both. I'll attempt to just blow away the repos and re clone from scratch. However given how docker works and that I'm clearing the images between runs it's almost the same thing I think. But worth a try.

Maybe the issue is Docker and how are you exposing ports? Or how backend and frontend is communicating with each other in localhost environment? I'm not a docker expert tho, so can't help

simply through docker port mapping:

ports:
  - 9502:8080

in the api service in docker-compose.yaml

I believe I can rule that out as cURL requests work. It definitely has to do with CORS configuration on the server. I just can't locate the issue and its slightly difficult to debug given that I'm only using the minified medusa source downloaded via NPM locally.

re-cloning the repos did not help. is there a way I can escalate? Are github issues better suited?

Maybe try it with the latest Medusa version (i think you're on 1.6.0?)

neither bumping version nor pulling the repos again helped 😦