CORS 'Allow-Credentials' Nodejs/Express

Question

My project is running on Node with an Express backend.

I'm trying to query my Arango database clientside with Arangojs. ArangoDB is running on Docker on Digital Ocean. I have no issues querying my database serverside, however I get the following error on page load:

Failed to load http://0.0.0.0:8529/_db/database/_api/cursor : Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is 'false' which must be 'true' when the request's credentials mode is 'include'. Origin ' http://localhost:3000 ' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

My code on the clientside js looks like this:

var db = new arangojs.Database({url:'http://0.0.0.0:8529'})
db.useDatabase(dbase)
db.useBasicAuth("database", 'password')
db.query('FOR doc IN docs RETURN doc') // etc. etc.

EDIT: 1 year later in hindsight this question is pretty silly - The correct answer for this is don't expose your database credentials through clientside JS... Communicate with your backend, and have that communicate with your datastore.

Answer 1

You are configuring cors() wrong, you have to use credentials property in order to configure Access-Control-Allow-Credentials :

var cors = require('cors');
var corsOptions = {
    origin: '*',
    credentials: true };

app.use(cors(corsOptions));

Besides that, your app.all(* ... isnt necessary because app.use(cors(corsOptions)); will already handle it for you.

Answer 2

You must set origin with a "trusted" URL or an array of "trusted" URLs, each with protocol + domain + port when, you configure cors with credentials. origin : '*' is blocked, because using credentials for every origin is too permissive. It is like not using credentials at all.