Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

'Access-Control-Allow-Credentials' header in the response is '' which must be 'true'

I'm using node, express on backend and angular4 at client side which is giving me following error:

XMLHttpRequest cannot load http://localhost:4876/login/check. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Api for login/check is implimented as below:

router.get('/login/check', (req: any, res: any) => {         let api = new ApiConnection(req, res);         let accessCard: IAccessCard = api.getContent(Auth.ACCESS_CARD_KEY);         if(!Auth.isValid(accessCard))             return api.response.error();          ChatBox.auth.isExpired(accessCard, function (err:any, isExpired: boolean) {             if (err) return api.response.error();             if(!isExpired) {                 api.cookie("AccessCard", accessCard);                 api.response.success(accessCard);             }             else {                 api.response.error();             }         })     }); 

Where router definition is const router = require('express').Router()

Setting middleware for header and cors is as follows:

export class Application {     private app:any = express();     constructor() {         this.setCors();         this.setHeaders();     }      public getApp():any {         return this.app;     }      private setCors(){         let whitelist = ['http://localhost:4200','http://localhost:80'];         let corsOptions = {             origin: (origin:any, callback:any)=>{                 if (whitelist.indexOf(origin) !== -1) {                     callback(null, true)                 } else {                     callback(new Error('Not allowed by CORS'))                 }             }         }         this.app.use(cors(corsOptions));     }        private setHeaders() {         this.app.use(function (req:any, res:any, next: any) {              // Website you wish to allow to connect             //res.setHeader('Access-Control-Allow-Origin', Config.WEB_APP_HOST);             res.setHeader('Access-Control-Allow-Origin', 'http://localhost:4200');              // Request methods you wish to allow             res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');              // Request headers you wish to allow             res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With, content-type');              // Set to true if you need the website to include cookies in the requests sent             // to the API (e.g. in case you use sessions)             res.setHeader('Access-Control-Allow-Credentials', true);              // Pass to next layer of middleware             next();         });     } } 

On client side I'm using Api as follows:

public startSession(callback: (status: boolean, result: any) => void ) {     let self: ChatBox = this;     /**      * @res.result: IAccessCard      */     this.mApiConnection.get(Api.root+'/login/check', (res: any) => {       if (res.status == ResponseStatus.SUCCESS) {         self.mStorage.storeAccessCard(res.result);         self.loadAccount(res.result);       }       callback(res.status, res.result);     })   } 
like image 513
Akhilesh Kumar Avatar asked May 04 '17 02:05

Akhilesh Kumar


People also ask

How do I make Access-Control allow credentials true?

For a CORS request with credentials, for browsers to expose the response to the frontend JavaScript code, both the server (using the Access-Control-Allow-Credentials header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they're opting into including credentials.

What does Access-Control allow headers do?

The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. This header is required if the request has an Access-Control-Request-Headers header.

How do you fix credential is not supported if the CORS header Access-Control allow origin is *?

To correct this problem on the client side, ensure that the credentials flag's value is false when issuing your CORS request. If the request is being issued using XMLHttpRequest , make sure you're not setting withCredentials to true . If using Server-sent events, make sure EventSource.

How do you fix ensure CORS response header values are valid?

The CORS request requires that the server permit the use of credentials, but the server's Access-Control-Allow-Credentials header's value isn't set to true to enable their use. To fix this problem on the client side, revise the code to not request the use of credentials.


1 Answers

While setting cors in corsOptions I added value credentials true it worked as follows:

private setCors(){         let whitelist = ['http://localhost:4200','http://localhost:80'];         let corsOptions = {             origin: (origin:any, callback:any)=>{                 if (whitelist.indexOf(origin) !== -1) {                     callback(null, true)                 } else {                     callback(new Error('Not allowed by CORS'))                 }             },credentials: true         }         this.app.use(cors(corsOptions));     } 
like image 185
Akhilesh Kumar Avatar answered Sep 18 '22 21:09

Akhilesh Kumar