ory proxy exposes duplicate cors headers when already configured upstream

[JuxhinDB]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

https://goofy-dewdney-rri0sodzzj.projects.oryapis.cojm

Describe the bug

We have a use-case to use the ory proxy auxiliary function to proxy our dev environment locally along with the ory session handler. This enables frontend developers to work on the UI while being authenticated correctly.

The issue arises when upstream services already handle CORS headers for you. The proxy will add it's own CORS headers as part of the proxy middleware, which results in duplicate headers, causing CORS to fail in the browser. The only solution right now was to fork and patch the cli with the following patch.

diff --git a/cmd/cloudx/proxy/proxy.go b/cmd/cloudx/proxy/proxy.go
index a5c9f82..cb57b43 100644
--- a/cmd/cloudx/proxy/proxy.go
+++ b/cmd/cloudx/proxy/proxy.go
@@ -223,6 +223,12 @@ func run(cmd *cobra.Command, conf *config, version string, name string) error {
 			return body, nil
 		}),
 		proxy.WithRespMiddleware(func(resp *http.Response, config *proxy.HostConfig, body []byte) ([]byte, error) {
+
+			// Remove a duplicate Access Control header
+			resp.Header.Del("Access-Control-Allow-Origin")
+			// Remove a duplicate Access Allow Credentuals header
+			resp.Header.Del("Access-Control-Allow-Credentials")
+
 			l, err := resp.Location()
 			if err == nil {
 				// Redirect to main page if path is the default ui welcome page.
@@ -239,17 +245,16 @@ func run(cmd *cobra.Command, conf *config, version string, name string) error {
 		return nil
 	}

-	var originFunc func(r *http.Request, origin string) bool
-	if conf.isDev {
-		originFunc = func(r *http.Request, origin string) bool {
-			return true
-		}
+	originFunc := func(r *http.Request, origin string) bool {
+		return true
 	}

+	corsOrigins := []string{"http://localhost:3000", "http://localhost:4000"}
+
 	proto := "http"
 	addr := fmt.Sprintf(":%d", conf.port)
 	ch := cors.New(cors.Options{
-		AllowedOrigins:         conf.corsOrigins,
+		AllowedOrigins:         corsOrigins,
 		AllowOriginRequestFunc: originFunc,
 		AllowedMethods:         corsx.CORSDefaultAllowedMethods,
 		AllowedHeaders:         append(corsx.CORSRequestHeadersSafelist, corsx.CORSRequestHeadersExtended...),

Reproducing the bug

1. Have an upstream service that handles CORS headers;
2. Run the ory proxy: ory proxy --dev --project goofy-dewdney-rri0sodzzj $upstream
3. Access the login url: http://localhost:4000/.ory/self-service/login/browser?return_to=http://localhost:3000
4. Login

This will result in you getting redirected to http://localhost:3000/, which will fetch an api endpoint through the proxy. The response of the proxied request will contain duplicate CORS headers, leading to CORS failure in the browser.

Relevant log output

No response

Relevant configuration

No response

Version

Version: v0.3.4 Git Hash: 654e498 Build Time: 2024-02-10T10:29:21Z

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Binary

Additional Context

No response

[aeneasr]

Hey - awesome find! Would you mind creating a PR for this? :) Looks like you already have the diff :)

[sahra-karakoc]

I am running into the same problem for ory tunnel, what is the current state of this issue?

[JuxhinDB]

Didn't have time to fix this unfortunately, but you should be able to apply the patch locally (assuming things didn't change much) and build the binaries. Otherwise a PR fix would be ideal for the maintainers.

[sahra-karakoc]

I disabled CORS for my Ory project using the Ory CLI and that fixed my problem

ory patch project <your-project-id> \
  --replace '/cors_public/enabled=false' \