Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Update documentation regarding preflight use with other middleware

See original GitHub issue

I’ve run into an issue when using a combination of middleware, particularly ones that modify the headers. As it turns out, ordering is important.

import express from 'express'
import helmet from 'helmet'
import cors from 'cors'
import morgan from 'morgan'
import bodyParser from 'body-parser'
import router from './routes'
import './utils/db'

const app = express()

app.use(cors())
app.use(morgan('combined'))
app.use(bodyParser.json({ type: 'application/json' }))
app.use(helmet())

app.use(router)

let port = 5000

app.listen(port, () => {
  console.log('ready')
})

Stumbled onto this issue which reveals the issue is in this cors middleware. https://github.com/helmetjs/helmet/issues/157

Digging through the source code for cors, the following line prevents subsequent middleware from being used for the preflight:

https://github.com/expressjs/cors/blob/b5bbc285194568f414afc2390c56f672734d3fac/lib/index.js#L180

I understand that this is required, but it’s unclear that the ordering of middleware is important.

I think it’s worth adding either a known issues section, or making it clear under usage.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:14 (6 by maintainers)

github_iconTop GitHub Comments

3reactions
rainecommented, Jul 23, 2018

Understood. In that case I would certainly clarify in the README that app.use(cors()) will enable CORS preflight requests. Currently the “Enabling CORS Pre-Flight” section leaves you under the impression that app.options() is the only way.

0reactions
jub0bscommented, Oct 30, 2022

I think this confusion stems from the middleware incorrectly interpreting all OPTIONS requests as preflight requests. But clearly, some OPTIONS requests are not preflight requests.

Read more comments on GitHub >

github_iconTop Results From Across the Web

auth middleware expects credentials for CORS-preflight ...
The potential issue here is that credentials are not meant to be included in CORS-preflight OPTIONS requests, yet the middleware still expects ...
Read more >
Preflight request is sent with all methods - Stack Overflow
A CORS preflight OPTIONS request can be triggered just by adding a Content-Type header to a request — if the value's anything except...
Read more >
Express cors middleware
CORS is a node.js package for providing a Connect/Express middleware that can be used to enable CORS with various options. Follow me (@troygoode)...
Read more >
Configuring CORS - Apollo GraphQL Docs
To do so, you'll first need to swap to using expressMiddleware (or any other Apollo Server integration). ⚠️ If your app is only...
Read more >
CORS Tutorial: A Guide to Cross-Origin Resource Sharing
Tutorial on modifying existing applications to support CORS. ... will instead make an automatic preflight request using the OPTIONS method.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Array of origins including wildcard

Next page

Why run request handlers "successfully" if the request fails CORS?