https://www.ory.sh/ logo
Join Slack
Powered by
Oka, anyone got a working setup with multiple subd...
# talk-kratos
l
Oka, anyone got a working setup with multiple subdomains but same top-level domain CSRF/CORS settings? I feel like i have tried every settings in kratos.yml & the UI variables.. nothing works i'm also hitting an infinite loop
e
l
yes, i'm doing exactly that 🙂
I added cors debug in kratos and i got.
Copy code
kratos-1  | [cors] 2024/02/21 19:53:15 ServeHTTP: Actual request
kratos-1  | [cors] 2024/02/21 19:53:15   Actual request no headers added: missing origin
Later today i will try run it in just dev mode. to see if that "fixes" it
e
Yeah it works well for me in dev mode, but I am using the 
@ory/components
which also set up the cookies and the requests appropriately
l
i do expect the UI (express app) to do the same 🙈 but i do wanna get it to work with full prod setup though, so i'm gonna fight it 😄
n
Have you tried setting up CORS to be handled by whatever proxy you have in front (e.g., Traefik, Nginx, etc.)? You can set up for the proxy to handle the CORS for you on those routes on those domains.
l
I have not, but Def light be something to look at
so this is super weird @numerous-energy-92403 everything is localhost now, serving kratos with 
--dev --watch-courier
Copy code
kratos-1  | [cors] 2024/02/22 09:59:00 ServeHTTP: Actual request
kratos-1  | [cors] 2024/02/22 09:59:00   Actual request no headers added: missing origin
kratos-1  | {"file":"/go/pkg/mod/github.com/ory/x@v0.0.614/reqlog/middleware.go:146","func":"<http://github.com/ory/x/reqlog.(*Middleware).ServeHTTP|github.com/ory/x/reqlog.(*Middleware).ServeHTTP>","http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,da;q=0.8","connection":"keep-alive","cookie":["csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=hDSpNzRkb4EDvc0Ns8C4+dEGrUH68jNl9ZBm9joHj+I=; csrf_token_be481debe9e1ebcf14d99f6f631d9a520ca6701ba0f3e4398508af30ebb1f509=0LrcC5vjLf54SfdCjWyYoo6XsGE8uSPCynO8unMAngk="],"referer":"<http://0.0.0.0:4455/>","sec-ch-ua":"\"Not A(Brand\";v=\"99\", \"Google Chrome\";v=\"121\", \"Chromium\";v=\"121\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"cross-site","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"},"host":"127.0.0.1:4433","method":"GET","path":"/self-service/registration/browser","query":null,"remote":"192.168.65.1:17904","scheme":"http"},"http_response":{"headers":{"cache-control":"private, no-cache, no-store, must-revalidate","content-type":"text/html; charset=utf-8","location":"<http://127.0.0.1:4455/registration?flow=56d36c1a-c639-4cbd-a5d0-7b2720b89364>","vary":"Origin"},"size":103,"status":303,"text_status":"See Other","took":9800041},"level":"info","msg":"completed handling request","time":"2024-02-22T09:59:00.886291755Z"}
Copy code
kratos-selfservice-ui-node:
    image: oryd/kratos-selfservice-ui-node:v1.1.0
    environment:
      - KRATOS_PUBLIC_URL=<http://127.0.0.1:4433>
      - COOKIE_SECRET=xVTCca9e+SG92uJkrjYuMwGkg/9KAw==
      - CSRF_COOKIE_NAME=locate.coffee
      - CSRF_COOKIE_SECRET=xVTCca9e+SG92uJkrjYuMwGkg/9KAw==
      - PORT=4455
seems like there is a bug in that container's app. i just cloned https://github.com/ory/kratos-selfservice-ui-react-native and running it on my laptop, works fine.
Copy code
kratos-1  | [cors] 2024/02/22 10:07:36 ServeHTTP: Actual request
kratos-1  | [cors] 2024/02/22 10:07:36   Actual response added headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Origin:[*] Access-Control-Expose-Headers:[Content-Type] Vary:[Origin]]
n
That is interesting indeed. Now, React Native would not be subject to CORS inspection, because native applications go through a different workflow. CORS is explicitly used only for web applications.
You cannot trust the fact that React Native is working..
l
Ahhh.. Makes sense. Well I only need basics for now so the react app works. But still very interesting that the express js app is "broken" 🤔
22 Views
Open in Slack
PreviousNext
Powered by