CORS“允许凭证” Nodejs / Express [英] CORS 'Allow-Credentials' Nodejs/Express

问题描述

我的项目在具有Express后端的Node上运行。

My project is running on Node with an Express backend.

我正在尝试使用Arangojs查询我的Arango数据库客户端。 ArangoDB在Digital Ocean上的Docker上运行。我在查询数据库服务器端时没有问题，但是在页面加载时出现以下错误：

I'm trying to query my Arango database clientside with Arangojs. ArangoDB is running on Docker on Digital Ocean. I have no issues querying my database serverside, however I get the following error on page load:

无法加载
http://0.0.0.0:8529/_db/database/_api/cursor ：对
飞行前请求的响应未通过访问控制检查：响应中
'Access-Control-Allow-Credentials'标头的值为'false'
必须为'true '，当请求的凭据模式为'include'时。因此，不允许
原始‘ http：// localhost：3000 ’访问。 XMLHttpRequest发起的
凭据请求模式是
，由withCredentials属性控制。

Failed to load http://0.0.0.0:8529/_db/database/_api/cursor: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is 'false' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:3000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

我的代码客户端js如下所示：

My code on the clientside js looks like this:

var db = new arangojs.Database({url:'http://0.0.0.0:8529'})
db.useDatabase(dbase)
db.useBasicAuth("database", 'password')
db.query('FOR doc IN docs RETURN doc') // etc. etc.

编辑：一年后的事后这个问题是非常愚蠢-正确的答案是不要通过客户端JS公开您的数据库凭据...与您的后端进行通信，并使其与您的数据存储区进行通信。

1 year later in hindsight this question is pretty silly - The correct answer for this is don't expose your database credentials through clientside JS... Communicate with your backend, and have that communicate with your datastore.

推荐答案

您配置的 cors（）错误，必须使用凭证属性为了配置 Access-Control-Allow-Credentials ：

You are configuring cors() wrong, you have to use credentials property in order to configure Access-Control-Allow-Credentials:

var cors = require('cors');
var corsOptions = {
    origin: '*',
    credentials: true };

app.use(cors(corsOptions));

除此之外，您的 app.all（* ... 是不必要的，因为 app.use（cors（corsOptions））; 已经为您处理了。

Besides that, your app.all(* ... isnt necessary because app.use(cors(corsOptions)); will already handle it for you.

这篇关于CORS“允许凭证” Nodejs / Express的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！