Channels
100daysofcode
100daysofkotlin
100daysofkotlin-2021
advent-of-code
aem
ai
alexa
algeria
algolialibraries
amsterdam
android
android-architecture
android-databinding
android-studio
androidgithubprojects
androidthings
androidx
androidx-xprocessing
anime
anko
announcements
apollo-kotlin
appintro
arabic
argentina
arkenv
arksemdevteam
armenia
arrow
arrow-contributors
arrow-meta
ass
atlanta
atm17
atrium
austin
australia
austria
awesome-kotlin
ballast
bangladesh
barcelona
bayarea
bazel
beepiz-libraries
belgium
berlin
big-data
books
boston
brazil
brikk
budapest
build
build-tools
bulgaria
bydgoszcz
cambodia
canada
carrat
carrat-dev
carrat-feed
chicago
chile
china
chucker
cincinnati-user-group
cli
clikt
cloudfoundry
cn
cobalt
code-coverage
codeforces
codemash-precompiler
codereview
codingame
codingconventions
coimbatore
collaborations
colombia
colorado
communities
competitive-programming
competitivecoding
compiler
compose
compose-android
compose-desktop
compose-hiring
compose-ios
compose-mp
compose-ui-showcase
compose-wear
compose-web
connect-audit-events
corda
cork
coroutines
couchbase
coursera
croatia
cryptography
cscenter-course-2016
cucumber-bdd
cyprus
czech
dagger
data2viz
databinding
datascience
dckotlin
debugging
decompose
decouple
denmark
deprecated
detekt
detekt-hint
dev-core
dfw
docs-revamped
dokka
domain-driven-design
doodle
dsl
dublin
dutch
eap
eclipse
ecuador
edinburgh
education
effective-kotlin
effectivekotlin
emacs
embedded-kotlin
estatik
event21-community-content
events
exposed
failgood
fb-internal-demo
feed
firebase
flow
fluid-libraries
forkhandles
forum
fosdem
fp-in-kotlin
framework-elide
freenode
french
fritz2
fuchsia
functional
funktionale
gamedev
ge-kotlin
general-advice
georgia
geospatial
german-lang
getting-started
github-workflows-kt
glance
godot-kotlin
google-io
gradle
graphic
graphkool
graphql
graphql-kotlin
graviton-browser
greece
grpc
gsoc
gui
hackathons
hacktoberfest
hamburg
hamkrest
helios
helsinki
hexagon
hibernate
hikari-cp
hire-me
hiring
hongkong
hoplite
http4k
hungary
hyderabad
image-processing
india
indonesia
inkremental
intellij
intellij-plugins
intellij-tricks
internships
introduce-yourself
io
ios
iran
israel
istanbulcoders
italian
jackson-kotlin
jadx
japanese
jasync-sql
java-to-kotlin-refactoring
javadevelopers
javafx
javalin
javascript
jdbi
jhipster-kotlin
jobsworldwide
jpa
jshdq
juul-libraries
jvm-ir-backend-feedback
jxadapter
k2-early-adopters
kaal
kafka
kakao
kalasim
kapt
karachi
karg
karlsruhe
kash_shell
kaskade
kbuild
kdbc
kgen-doc-tools
kgraphql
kinta
klaxon
klock
kloudformation
kmdc
kmm-español
kmongo
knbt
knote
koalaql
koans
kobalt
kobweb
kodein
kodex
kohesive
koin
koin-dev
komapper
kondor-json
kong
kontent
kontributors
korau
korean
korge
korim
korio
korlibs
korte
kotest
kotest-contributors
kotless
kotlick
kotlin-asia
kotlin-beam
kotlin-by-example
kotlin-csv
kotlin-data-storage
kotlin-foundation
kotlin-fuel
kotlin-in-action
kotlin-inject
kotlin-latam
kotlin-logging
kotlin-multiplatform-contest
kotlin-mumbai
kotlin-native
kotlin-pakistan
kotlin-plugin
kotlin-pune
kotlin-roadmap
kotlin-samples
kotlin-sap
kotlin-serbia
kotlin-spark
kotlin-szeged
kotlin-website
kotlinacademy
kotlinbot
kotlinconf
kotlindl
kotlinforbeginners
kotlingforbeginners
kotlinlondon
kotlinmad
kotlinprogrammers
kotlinsu
kotlintest
kotlintest-devs
kotlintlv
kotlinultimatechallenge
kotlinx-datetime
kotlinx-files
kotlinx-html
kotrix
kotson
kovenant
kprompt
kraph
krawler
kroto-plus
ksp
ktcc
ktfmt
ktlint
ktor
ktp
kubed
kug-leads
kug-torino
kvision
kweb
lambdaworld_cadiz
lanark
language-evolution
language-proposals
latvia
leakcanary
leedskotlinusergroup
lets-have-fun
libgdx
libkgd
library-development
linkeddata
lithuania
london
losangeles
lottie
love
lychee
macedonia
machinelearningbawas
madrid
malaysia
mathematics
meetkotlin
memes
meta
metro-detroit
mexico
miami
micronaut
minnesota
minutest
mirror
mockk
moko
moldova
monsterpuzzle
montreal
moonbean
morocco
motionlayout
mpapt
mu
multiplatform
mumbai
munich
mvikotlin
mvrx
myndocs-oauth2-server
naming
navigation-architecture-component
nepal
new-mexico
new-zealand
newname
nigeria
nodejs
norway
npm-publish
nyc
oceania
ohio-kotlin-users
oldenburg
oolong
opensource
orbit-mvi
osgi
otpisani
package-search
pakistan
panamá
pattern-matching
pbandk
pdx
peru
philippines
phoenix
pinoy
pocketgitclient
polish
popkorn
portugal
practical-functional-programming
proguard
prozis-android-backup
pyhsikal
python
python-contributors
quasar
random
re
react
reaktive
realm
realworldkotlin
reductor
reduks
redux
redux-kotlin
refactoring-to-kotlin
reflect
refreshversions
reports
result
rethink
revolver
rhein-main
rocksdb
romania
room
rpi-pico
rsocket
russian
russian_feed
russian-kotlinasfirst
rx
rxjava
san-diego
science
scotland
scrcast
scrimage
script
scripting
seattle
serialization
server
sg-user-group
singapore
skia-wasm-interop-temp
skrape-it
slovak
snake
sofl-user-group
southafrica
spacemacs
spain
spanish
speaking
spek
spin
splitties
spotify-mobius
spring
spring-security
squarelibraries
stackoverflow
stacks
stayhungrystayfoolish
stdlib
stlouis
strife-discord-lib
strikt
students
stuttgart
sudan
swagger-gradle-codegen
swarm
sweden
swing
swiss-user-group
switzerland
talking-kotlin
tallinn
tampa
teamcity
tegal
tempe
tensorflow
terminal
test
testing
testtestest
texas
tgbotapi
thailand
tornadofx
touchlab-tools
training
tricity-kotlin-user-group
trójmiasto
truth
tunisia
turkey
turkiye
twitter-feed
uae
udacityindia
uk
ukrainian
uniflow
unkonf
uruguay
utah
uuid
vancouver
vankotlin
vertx
videos
vienna
vietnam
vim
vkug
vuejs
web-mpp
webassembly
webrtc
wimix_sentry
wwdc
zircon
Title
m
mp
07/06/2018, 1:08 PMWhat’s your CORS config?
✅ 1
📝 1
v
vincent.brule
07/06/2018, 1:09 PMI’m really not a pro with the CORS issue. I try this in ktor : install(DefaultHeaders) {
//header(HttpHeaders.AccessControlAllowOrigin, “*”)
header(HttpHeaders.AccessControlExposeHeaders, “ANNIA_SESSION”)
}
install(CORS) {
anyHost()
method(HttpMethod.Get)
method(HttpMethod.Post)
method(HttpMethod.Put)
header(“ANNIA_SESSION”)
}
For the get request that works but no with my put request
m
mp
07/06/2018, 1:11 PMAh. You need to use the actual hostname, `*`(
anyHost()v
vincent.brule
07/06/2018, 1:12 PMI need to replace anyHost() by host(“*”)
?
m
mp
07/06/2018, 1:13 PMWhen responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the “*” wildcard.
No, it should be something like
<http://localhost:3000>Supply the allowed origin as part of your config
BTW since you’re configuring security for browsers, you might be interested in https://bitbucket.org/marshallpierce/ktor-csrf/src/master/ (disclaimer: I’m the author)
👀 1
v
vincent.brule
07/06/2018, 1:15 PMIs there a method to totally disable CORS because I have many issue with this ?
m
mp
07/06/2018, 1:15 PMYou’d have ot disable it from the browser side if you wanted it gone. However, you probably want to figure out the issues sooner rather than later because you don’t want to debug this in production!
v
vincent.brule
07/06/2018, 1:16 PMYes I understand
I have the impression CORS just are a problem for back end developer...
m
mp
07/06/2018, 1:17 PMI’d say they make life easier by allowing us to write the backend separately from the frontend 🙂
Here’s my cors config that works great for me.
install(CORS) {
val originUrl = config.corsAllowOrigin()
val host = if (originUrl.port > 0) {
"${originUrl.host}:${originUrl.port}"
} else {
originUrl.host
}
host(host, schemes = listOf(originUrl.protocol))
allowCredentials = true
header("X-MI-AntiCSRF")
method(HttpMethod.Delete)
}config.corsAllowOrigin()URLv
vincent.brule
07/06/2018, 1:18 PMThanks !
I don’t understand the goal of CORS …? Is it to secure the back ?
m
mp
07/06/2018, 1:19 PMThe goal is to selectively configure the browser to lift the “same origin policy” that would normally restrict XHR requests.
If js running on
<http://foo.com|foo.com><http://bar.com|bar.com>v
vincent.brule
07/06/2018, 1:20 PMBut if I try without localhost but with an external server I will not have these problems ?
m
mp
07/06/2018, 1:20 PMHowever, if
<http://bar.com|bar.com>v
vincent.brule
07/06/2018, 1:20 PMJust for your code… What is corsAllowOrigin() ?
m
mp
07/06/2018, 1:20 PMAn external server will behave the same, except that the difference in origin will presumably because the domain is different rather than the port — on local dev, typically everything is
localhostThat method is on my config class; it returns a URL (e.g.
URL("<http://localhost:3000>")v
vincent.brule
07/06/2018, 1:21 PMSo the problem is the same origin : localhost ?
I have the same error with your code 😞
m
mp
07/06/2018, 1:23 PMcan you paste the preflight request (from your browser’s dev tools)
v
vincent.brule
07/06/2018, 1:23 PMRequest URL: http://localhost:8080/employee/update/informations
Request Method: OPTIONS
this one ?
m
mp
07/06/2018, 1:24 PMright, but with all the headers
and paste the current CORS config you’re using
v
vincent.brule
07/06/2018, 1:24 PMAccess-Control-Expose-Headers: ANNIA_SESSION
Connection: keep-alive
Content-Length: 0
Date: Fri, 06 Jul 2018 13:23:06 GMT
Server: ktor-server-core/0.9.2 ktor-server-core/0.9.2
val originUrl = URL(“http://localhost:3000“)
val host = if (originUrl.port > 0) {
“${originUrl.host}:${originUrl.port}”
} else {
originUrl.host
}
host(host, schemes = listOf(originUrl.protocol))
method(HttpMethod.Delete)
method(HttpMethod.Get)
method(HttpMethod.Post)
method(HttpMethod.Put)
header(“ANNIA_SESSION”)
I have a react app on localhost:3000
m
mp
07/06/2018, 1:25 PMRemove
anyHostv
vincent.brule
07/06/2018, 1:25 PMYes sorry It was not the good CORS config I edit it
m
mp
07/06/2018, 1:26 PMalso, get / post are already allowed methods by default
what are the request headers for the preflight?
v
vincent.brule
07/06/2018, 1:26 PMI remove it thanks
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: content-type,headerannia
Access-Control-Request-Method: PUT
m
mp
07/06/2018, 1:27 PM(also probably not an issue here but I see that you’re on ktor 0.9.2; 0.9.3 is current)
v
vincent.brule
07/06/2018, 1:28 PMThanks, I update it
m
mp
07/06/2018, 1:28 PMAh. So, the browser is asking if it’s ok to send
headeranniaannia_sessionheaderannia✅ 1
v
vincent.brule
07/06/2018, 1:30 PMOh I have a variable on my react app name headerannia but the clojure was not respected so my app put the variable name for the header, that’s the problem ! Thank you very much !
Sorry for your time, it was my mistake 😞
m
mp
07/06/2018, 1:32 PMNP, and now you know how to debug CORS 🙂
v
vincent.brule
07/06/2018, 1:33 PMYes sure, I already had many problems with CORS and I just manage some trick but now I know how to do thank you !
d
Deactivated User
07/06/2018, 1:34 PMThanks for helping @mp 🙂 I had a similar issue here: https://github.com/soywiz/realworld-kotlin/blob/master/ktor-backend/src/io/realworld/ktor/Application.kt#L47
I’m going to update the documentation to give some hints on this issue 👍
👍 1
v
vincent.brule
07/06/2018, 1:36 PMThe problem is not the documentation but my lack of knowledge with CORS 😉
m
mp
07/06/2018, 1:36 PMre that config — note that get/post are already enabled, and browsers won’t honor
anyHost()I think struggling with CORS a bit is just one of those things that has to happen every time you start a new project
“Oh right, CORS… *cursing*”
d
Deactivated User
07/06/2018, 1:44 PM🙂 well still if we can provide some hints on which things can go wrong or provide useful resources for troubleshooting, it is always a start I guess
m
mp
07/06/2018, 1:47 PMYeah. I think having a real world working setup is a great start
in practice, people are probably going to want
PUTDELETE👍 2
d
Deactivated User
07/06/2018, 1:54 PM@mp do you think this is a good snippet for a start, or do you miss something? https://github.com/ktorio/ktor-init-tools/commit/e17f8af685601da2f9a4f303e700115cc9333b3c
m
mp
07/06/2018, 1:56 PMUnfortunately,
anyHost()host("<http://foo.com>")👌 1
Most of the time, services know which host(s) they’re expecting to be serviced by, so this isn’t a problem to configure, but hypothetically it might be an interesting extension point to allow people to plug in their own implementations of host checking
i.e. one that always says whatever Origin is requested is allowed — this would let you allow credentialed requests from everything. An odd use case to be sure, but that’s one that currently can’t be expressed.
d
Deactivated User
07/06/2018, 2:00 PMI see, thanks for the insights! Maybe an issue to implement custom logic for origin accepting would be nice, yes
m
mp
07/06/2018, 2:00 PMyep if the current CORS configuration could be wrapped up in a pluggable implementation that seems ideal, if there’s a clean way to do that. That way, most users could use the CORS “engine” that’s shipped out of the box, but if you needed to get crazy, you could plug in your own logic
👍 1
(without having to rewrite the pipeline integration that would be the same for everyone)
all problems can be solved with an additional layer of indirection … 😉 Thanks, JVM, for making monomorphic virtual calls cheap!
😆 1