[bug] Preflight for posting doesn't allow idempotency-key

[cheeaun]

Describe the bug with a clear and concise description of what the bug is.

POSTing to /api/v1/statuses with a request header idempotency-key fails in the browser with this console error:

Access to fetch at 'DOMAIN/api/v1/statuses' from origin 'DOMAIN' has been blocked by CORS policy: Request header field idempotency-key is not allowed by Access-Control-Allow-Headers in preflight response.

The preflight call (OPTIONS) returns this:

access-control-allow-headers: Origin,Content-Length,Content-Type,Authorization,Upgrade,Sec-Websocket-Extensions,Sec-Websocket-Key,Sec-Websocket-Protocol,Sec-Websocket-Version,Connection

It should include Idempotency-Key too.

What's your GoToSocial Version?

0.7.1 git-adb5966

GoToSocial Arch

No response

What happened?

Status posting failed.

What you expected to happen?

Status should be posted successfully.

How to reproduce it?

1. Go to https://phanpy.social
2. Log in to a GoToSocial instance
3. Post a status

Anything else we need to know?

I'm the developer of Phanpy, and this is a bug report from cheeaun/phanpy#91

[tsmethurst]

Thank you! Will fix this :)

[moan0s]

This or a related issue seems to happen again as of 13.0.X.

Relevant log from the server

Jan 29 14:52:25 s3 mash-gpa-gotosocial[2431616]: timestamp="29/01/2024 14:52:25.982" func=server.glob..func1.Logger.func13.1 level=INFO latency="9.476633ms" userAgent="Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" method=POST statusCode=499 path=/api/v2/media clientIP=92.13.12.42 requestID=yg7vancd01111115qv80 msg="Client Closed Request: wrote 23B"

In firefox:
Response body is not available to scripts (Reason: CORS Missing Allow Origin) and Bad Gateway.

[tsmethurst]

Oh, hmm, I don't think we changed anything in that regard on our side.

As for CORS Missing Allow Origin, we set access-control-allow-origin: * for CORS requests (as indicated by the origin header being set on requests). You can replicate this with:

curl -v -H 'accept: application/json' -H 'origin: http://localhost' https://gts.superseriousbusiness.org/api/v1/instance

< HTTP/2 200 
< access-control-allow-origin: *
< access-control-expose-headers: Link,X-Ratelimit-Reset,X-Ratelimit-Limit,X-Ratelimit-Remaining,X-Request-Id,Connection,Sec-Websocket-Accept,Upgrade
< cache-control: no-store
< content-security-policy: default-src 'self'; object-src 'none'; img-src 'self' blob: https://s3.superseriousbusiness.org; media-src 'self' https://s3.superseriousbusiness.org
< content-type: application/json
< date: Mon, 29 Jan 2024 15:13:13 GMT
< permissions-policy: browsing-topics=()
< server: gotosocial
< vary: Accept-Encoding
< x-ratelimit-limit: 300
< x-ratelimit-remaining: 296
< x-ratelimit-reset: 2024-01-29T15:15:24.000Z
< x-request-id: 6rdcgncd040018x7xxcg

and

curl -v -X OPTIONS -H 'accept: application/json' -H 'origin: http://localhost' https://gts.superseriousbusiness.org/api/v1/instance

< HTTP/2 204 
< access-control-allow-headers: Origin,Content-Length,Content-Type,Authorization,Idempotency-Key,Upgrade,Sec-Websocket-Extensions,Sec-Websocket-Key,Sec-Websocket-Protocol,Sec-Websocket-Version,Connection
< access-control-allow-methods: POST,PUT,DELETE,GET,PATCH,OPTIONS
< access-control-allow-origin: *
< access-control-max-age: 120
< date: Mon, 29 Jan 2024 15:17:57 GMT
< x-request-id: khpcrncd040004y7jbk0

Could this be some other problem?