rack-cors response headers not showing up

[John Knapp]

Seeking advice on a vexing cors problem.

My roda response headers are working as expected but the cors response headers are simply absent! I've opened a rack-cors issue so we'll see what replies come in.

I'm posting here in case someone can provide troubleshooting advice, I've confirmed my cors setup and have run out of things to try!

I'm not surprised there's not much cors info in this group. The rack-cors gem usually works fine but it's making me crazy in my current roda project.

By the way, I <3 Roda! Thank you Jeremy!

[Jeremy Evans]

Unfortunately, I don't think I can help here.  It sounds like rack-cors is a middleware, so it would see the request before Roda and the response that Roda returns.  Hopefully the rack-cors developers can help, but based on the information you provided, I'm not sure they will be able to.  You should try creating a minimal, self contained, reproducible example, and post that to the rack-cors issue.  That will hopefully help the rack-cors developers identify the issue (if it is an issue in rack-cors).

Thanks,

Jeremy

[John Knapp]

Thank you Jeremy, I realize a roda involvement is unlikely. As I understand rack response preparation, each middleware in turn builds up the response and at the end of that process, roda fires it off. 

Can you think of anything that might cause cors headers to get dropped along the way - perhaps from a misconfigured roda plugin? I am using default_headers plugin but my cors issue remains when I pull that out.

Anyway, once again Jeremy I want to thank you for roda, for sequel and your top-notch oversight of these two fantastic packages!

Regards,

JK

[Jeremy Evans]

On Fri, Dec 18, 2020 at 8:02 AM John Knapp <j...@skillbank.io> wrote:

Thank you Jeremy, I realize a roda involvement is unlikely. As I understand rack response preparation, each middleware in turn builds up the response and at the end of that process, roda fires it off. 

No, that's not how rack middleware works.  If you have middleware M and rack app A:

server (Puma/Unicorn/etc.) calls M with request env hash

  M does whatever it wants with request env hash

  M calls A with (possibly modified) request env hash

    A processes request env hash and returns rack response array

  M receives rack response array from A

  M does whatever it wants with the rack response array

  M returns (possibly modified) rack response array

server receives rack response array from M

In this case, M is rack-cors and A is Roda.

 

Can you think of anything that might cause cors headers to get dropped along the way - perhaps from a misconfigured roda plugin? I am using default_headers plugin but my cors issue remains when I pull that out.

Assuming these are response headers, remember that rack-cors, being a middleware, adds response headers after the application has already returned a response.  So I don't think this could have anything to do with Roda.  You could replace Roda with a simple proc that follows the rack spec and you would probably have the same issue.

At least, that's my guess.  Without seeing a minimal example, that's the best I can do.

Thanks,

Jeremy

[John Knapp]

Thank you for the clarification. I understand the "round trip" concept you outlined. Given that rack-cors is first in and last-out, (if I understand that correctly) and given the problem exists on the options method preflight, (which may not even get to roda) that's probably all rack-cors. I'm creating a test app to try to reproduce.

[John Knapp]

An FYI for you Jeremy: I created a public repository with a minimal rack-cors / roda app which replicates the problem reported. I updated the rack-cors issue with a link to this repo and look forward to hearing back from Calvin.

[John Knapp]

Thank you Jeremy for the rack test code you posted on that rack-cors issue. Eliminating roda entirely and I still see no cors headers in the response to the cors preflight test! And thank you for pointing out the string vs symbol issue on my hash_branch method call. I'll correct that in my app. (Which already has the json plugins.)

[John Knapp]

Favorite saying I overheard long ago from a couple PC technicians: Tech 1: "Did you find the problem?" Tech 2:"Yes, it was a loose nut behind the keyboard."

Cors is tricky but a robust approach for controlled cross site access to remote API resources.

To help other roda users in the future, I updated a rack-cors + roda repository with a readme I hope people find beneficial.