0

I am building a website that include payment option with NuxtJs. But I am getting CORS error when i want to rediect to payment page of virtual POS integrator.

On backend side I am using Golang/Echo like this:

func startPaymentProcess(c echo.Context) {
    header := c.Response().Header()
    header.Add("Access-Control-Allow-Origin", "*")
    header.Add("Access-Control-Allow-Methods", "DELETE, POST, GET, OPTIONS")
    header.Add("Access-Control-Allow-Headers", "Content-Type, Authorization")

    //...
    // do some controls
    //..

    c.Redirect(http.StatusSeeOther, "https://web-test.vercel.app/workplace/payment/success")
}

On frontend axios call like this

export const SetSubscription = async () => {
  try {
    return await axios({
      method: "GET",
      url: API_URL + `/workplaces/payment-test`,
      headers: {
        "Authorization": shared.getAuthorizationHeader()
      }
    });
  } catch (error) {
    return error
  }
}

On developer console error like this:

Access to XMLHttpRequest at 'https://web-test.vercel.app/workplace/payment/success' (redirected from 'https://api.test.domain.tech/workplaces/payment-test') from origin 'https://web-test.vercel.app' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.
688030a.js:2 

GET https://web-test.vercel.app/workplace/subscription/success net::ERR_FAILED

On developer console network error like this: enter image description here

Which point that I'm missing?

jub0bs
  • 60,866
  • 25
  • 183
  • 186
emre
  • 41
  • 6
  • 1
    When a preflighted request results in a cross-origin redirect, the browser performs a whole new CORS access-control check for the redirection origin. Is `https://web-test.vercel.app/workplace/payment/success` properly configured for CORS? Based on your CORS error message, unlikely. You need to fix that or, alternatively, make the call to it on the server side rather than redirect to it. – jub0bs Dec 30 '21 at 22:36
  • First of all thank you for response. I'm adding headers before send redirection to client. What kind of fix that I need to fix? – emre Dec 31 '21 at 08:55
  • Do you have control over `web-test.vercel.app`? Can you make changes to it? – jub0bs Dec 31 '21 at 09:10
  • Hi, sorry for late response. Yes, I have full control over vercel. Also I tried vercel.json as they mentioned on https://vercel.com/support/articles/how-to-enable-cors#enabling-cors-using-vercel.json but it did not solve my problem – emre Jan 01 '22 at 10:56
  • If you properly configure CORS on the Vercel side, it should solve your issue. You'll need to explicitly allow the `Authorization` header. – jub0bs Jan 01 '22 at 11:01
  • I tried many things on backend side for fix CORS error but nothing has changed. Wrote a custom config for golang and vercel that include `Authorization` header and it still gives an error :( – emre Jan 02 '22 at 09:32
  • Is `https://web-test.vercel.app/workplace/payment/success` the actual endpoint or some dummy URL you used for this question? If it's not the real one, can you share the real one in the comments? – jub0bs Jan 02 '22 at 11:13
  • https://web-test.vercel.app/workplace/payment/success is just for tell the problem to you. actual endpoint is https://emarkan-web-test.vercel.app/workplace/payment/success (it is really exists). In my scenario I want to redirect user to our integrators (ParamPOS) payment page. But first I want make PoC of this redirect policy. But I'm stuck at the start of the way. – emre Jan 02 '22 at 13:49
  • Did you notice that the the backend also return `Access-Control-Allow-Credentials: true` in the response? The config mentioned in your question doesn't mention that. Be aware that you cannot use `Access-Control-Allow-Credentials: true` in conjunction with the wildcard (`*`). – jub0bs Jan 02 '22 at 14:26
  • Also, check the origin of the preflight request to `https://web-test.vercel.app/workplace/payment/success`. Is it `null`? – jub0bs Jan 02 '22 at 14:28
  • I tried so many things and I did not get it where is the problem. But I solve this problem with some hacks, I hope it does give an another error – emre Jan 04 '22 at 00:11

1 Answers1

0

I know this question is probably not relevant anymore, but it is caused probably by the wildcard in Access-Control-Allow-Origin, try putting the host of the UI.

Jakub Klimek
  • 433
  • 6
  • 18