-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apollo Server 2 - Override CORS Default #1142
Comments
@zachrnolan You'll have to use Right now we have to create an instance of express to pass in as |
@evans generally I would prefer to avoid heavy library such as express just to enable |
https://www.apollographql.com/docs/apollo-server/api/apollo-server.html#Parameters-2 This is now available. |
The method supplied by @ScreamZ requires the use of To not require the need of a middleware, instead one can supply the const server = new ApolloServer({
cors: false,
typeDefs,
resolvers
}); |
@SimonKinds This is also an option, I was using it before I needed to use cookies in my request context.
Consider settings an array of hosts or a function as described in the original EDIT: This is for |
@ScreamZ Please excuse me if I'm incorrect, but the lack of a The effect |
@SimonKinds My bad, I think you're right, it was about |
For anyone else reading this, newer versions of apolloServer accept the |
@norbertkeri, correct me if I'm wrong but that's the The
|
You are probably right, sorry. |
Anyway, I spent a few hours trying to figure out why apollo-server-express was not working until I got here. You're both right, probably. Thank you guys! |
After migrating from apollo server 1 to version 2 I could not figure out why I am getting access-control-allow-origin * even if I have my own express middleware taking care of the cors. As it turns out, apollo server has its own cors implementation and therefore you need to turn it off if you have cors set up allready. The official documentation is wrong / or not clear, since you have to turn it off in two places in order to disable it. // first pass cors: false to the constructor:
const server = new ApolloServer({
cors: false,
...
})
// and you also have to pass it here
server.applyMiddleware({ app, cors: false }); Now it will not override your own implementation. |
In
This is how my server is configured
but neither of those worked. I can't use
In FireFox the Can anybody help me? |
Maybe think about switch to express ? import { ApolloServer } from "apollo-server-express";
apolloServer.applyMiddleware({
app,
cors: {
credentials: true,
origin: true
},
path: "/",
}); |
@ScreamZ thanks for help, it did not help first. Then I wondered why the SSL error and the it hit me - my apollo client was making requests to Note to myself - never blindly copy and paste code from the Internet. |
The CORS settings come from ExpressJS, not from ApolloServer. If you want to add a custom or wildcard origin you have to handle it with a callback function. const server = new ApolloServer({
....,
cors: {
credentials: true,
origin: (origin, callback) => {
const whitelist = [
"http://site1.com",
"https://site2.com"
];
if (whitelist.indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error("Not allowed by CORS"))
}
}
}
}); |
Thank you @agavazov . The above worked for me and the client/server architecture appears to handle the whole thing, IE. There is no need to make specific changes to the client. I imagine the InMemoryCache setting is where that happens, (for Angular pure client) : // ../src/app/app.module.ts
providers: [
{
provide: APOLLO_OPTIONS,
useFactory: (httpLink: HttpLink) => {
return {
cache: new InMemoryCache(),
link: httpLink.create({
uri: '/api/graphql'
})
};
}, |
Apollo was overidding my cors middleware applied to the express app. I moved cors from the express to here: apolloServer.applyMiddleware({ app, cors: {origin: "http://localhost:3000", credentials: true} }); and now it works. |
I'm having exactly the same problem, and your solution just worked perfectly. Thank you =) |
@davincif If you pass |
@glasser 's answer: this is the way! :) For those having some trouble using const app = express.default();
app.use(CorsMiddleware); you'll notice that apollo server will disregard your cors middleware: // your earlier cors middleware will be disregarded because cors defaults to `true`
apolloServer.applyMiddleware({ app, path: '/graphql' });
// when using cors options, even if they are the same for both your cors middleware, and specified here in .applyMiddleware,
// your first cors middleware will be disregarded.
apolloServer.applyMiddleware({ app, path: '/graphql', cors: corsOptions }); // This will make your initial cors middleware be respected o7
apolloServer.applyMiddleware({ app, path: '/graphql', cors: false }); Also worth mentioning, import * as express from 'express';
import { ApolloServer } from 'apollo-server-express';
import cors, { CorsOptions } from 'cors';
// https://github.com/expressjs/cors#readme
const corsAllowedOrigin: Array<string | RegExp> = ['https://foobar.com'];
if (!config.IS_PROD) {
corsAllowedOrigin.push(/localhost/);
}
const corsOptions: CorsOptions = {
origin: corsAllowedOrigin,
credentials: true,
};
const CorsMiddleware = cors(corsOptions);
const app = express.default();
// regex for `cors.origin` will work
app.use(CorsMiddleware);
// regex for `cors.origin` will NOT work
apolloServer.applyMiddleware({ app, path: '/graphql', cors: false }); |
Is there a way to override the CORS default when using apollo-server directly? It looks like apollo-server is defaulting to
origin: '*'
, and I'd like to lock it down so only my client can hit the server.I don't see anything related to CORS in
ApolloServer
orlisten()
. It does look like I can set CORS inregisterServer
using express middleware. Is that the only way?The text was updated successfully, but these errors were encountered: