Can't figure out "No 'Access-Control-Allow-Origin' header" in Node Express with CORS and Mandrill

Question

I've been reading up enough to know I'm lost on this one. The solutions on other threads don't seem to help.

I have a page at pages.samedomain.com calling the mandrill api in my Node site at apps.samedomain.com. Using ORM, I am able to write through the tables route just fine. After the table is written and the page receives confirmation, it's supposed to fire to the email route. When run locally, both work fine. When deployed, I get...

XMLHttpRequest cannot load http://apps.samedomain.com/.../.../mail/4847775376401843. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://pages.samedomain.com' is therefore not allowed access. The response had HTTP status code 502.

In my app.js I have...

var cors = require('cors');
app.use(cors());

In my routes file I have...

module.exports = function(appRouter) {    

var mandrill = require('mandrill-api/mandrill');
var mandrill_client = new mandrill.Mandrill(process.env.MANDRILL_API_KEY);    

appRouter.route('/.../mail/:first_list_id').post(function(req,res){

    req.models.know_me_2016
        .find({list_id:req.params.first_list_id})
        .run(function(err, results){
            if (err) { 
                res.send(err); 
            } else {
                var template_content = [{
                    "recipient": <stuff> ,
                    "content": <stuff>
                }];
                var message = {
                    <mandrill message object stuff>
                };
            }

            mandrill_client.messages.sendTemplate({
                "template_name": <template-name>, 
                "template_content": template_content, 
                "message": message}, function(result) {
                    console.log(result);

                    //I tried adding header stuff but it didn't help, maybe in wrong place? I thought CORS library was going to take care of this part?

                    res.header("Access-Control-Allow-Origin", "http://interactives.dallasnews.com");
                    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");

                    //It sends successfully when run local
                    res.send("Email sent successfully");
                }, function(e) {
                    // Mandrill returns the error as an object with name and message keys
                    console.log('A mandrill error occurred: ' + e.name + ' - ' + e.message);
                    // A mandrill error occurred: Unknown_Subaccount - No subaccount exists with the id 'customer-123'
            });
        });        
    });
}

My Mandrill key is set to accept all IPs.

Any insight would be appreciated.

Answer 1

You need to add allowed origins to the white list when initializing cors:

var whitelist = [
    'http://samedomain.com',
    'http://apps.samedomain.com',
    'http://pages.samedomain.com'
    // list whatever possible domains you have
]
var globalCorsOptions = {
    origin: function(origin, callback) {             
        callback(null, whitelist.indexOf(origin) !== -1);
    }
};

var cors = require('cors');
app.use(cors(globalCorsOptions));

Answer 2

In this particular case, it turns out the problem was with the lack of an updated .env file. Our private git ignores .env files so the credentials weren't being posted. Mandrill was unable to connect. Once the Mandrill credentials were inserted and the .env remote updated, it started working as expected.