Failed by CORS on Signup

saenzramiro8 · July 18, 2018, 6:51pm

Hello there,

Recently I started to get an error on every signup using “Username-Password-Authentication”. The app is an Electron app, so the website is loading using file://. The thing is that I cannot add it file:// under Allowed Web Origins in the client because of the validation. I tried adding file:/// under Allowed Origins (CORS), allowed me but still cannot sign up, same error.

Here’s the log:

Title	Description
Type	Failed by CORS
Description	Origin file:// is not allowed. Behavior used for check: WEB ORIGINS
RAW

{
  "date": "2018-07-18T18:25:47.917Z",
  "type": "fco",
  "description": "Origin file:// is not allowed. Behavior used for check: WEB ORIGINS",
  "connection_id": "",
  "client_id": "hai2WNByiZuoubumGQvm_cDVT_ooiZsE",
  "client_name": "---",
  "ip": "----",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) --/1.0.2 Chrome/61.0.3163.100 Electron/2.0.4 Safari/537.36",
  "details": {
    "xhr": false,
    "method": "POST",
    "origin": "file://",
    "webOrigins": [
      "http://localhost:9080",
      "http://local.test.com:9080"
    ],
    "headers": {
      "x-forwarded-host": "auth.test.com",
      "x-forwarded-proto": "https",
      "x-forwarded-for": "181.231.57.18, 172.25.5.203, 172.25.4.186",
      "host": "test.auth0.com",
      "content-length": "214",
      "x-forwarded-port": "443",
      "x-amzn-trace-id": "Root=1-5b4f862b-eb857330e6e954b5a39095be",
      "auth0-client": "----",
      "origin": "file://",
      "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ----/1.0.2 Chrome/61.0.3163.100 Electron/2.0.4 Safari/537.36",
      "content-type": "application/json",
      "accept": "*/*",
      "accept-encoding": "gzip, deflate",
      "accept-language": "es-419",
      "cookie": "auth0=s%3A78V-24OpR5u5wKiO-G4335WvamU7THFW.WTYBxFyXOF1zrDF%2F64pzyPql8bNjeLwqCW8uYZoeDWKU"
    },
    "host": "https://test.auth0.com",
    "originalUrl": "/co/authenticate"
  },
  "hostname": "auth.test.com",
  "auth0_client": {
    "name": "lock.js",
    "version": "11.7.2",
    "lib_version": "9.6.1"
  },
  "log_id": "90020180718182547921869186125519030230960239254072983634"
}

Context

{
  "xhr": false,
  "method": "POST",
  "origin": "file://",
  "webOrigins": [
    "http://localhost:9080",
    "http://local.test.com:9080"
  ],
  "headers": {
    "x-forwarded-host": "auth.test.com",
    "x-forwarded-proto": "https",
    "x-forwarded-for": "181.231.57.18, 172.25.5.203, 172.25.4.186",
    "host": "test.auth0.com",
    "content-length": "214",
    "x-forwarded-port": "443",
    "x-amzn-trace-id": "Root=1-5b4f862b-eb857330e6e954b5a39095be",
    "auth0-client": "---",
    "origin": "file://",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ----/1.0.2 Chrome/61.0.3163.100 Electron/2.0.4 Safari/537.36",
    "content-type": "application/json",
    "accept": "*/*",
    "accept-encoding": "gzip, deflate",
    "accept-language": "es-419",
    "cookie": "auth0=s%3A78V-24OpR5u5wKiO-G4335WvamU7THFW.WTYBxFyXOF1zrDF%2F64pzyPql8bNjeLwqCW8uYZoeDWKU"
  },
  "host": "https://test.auth0.com",
  "originalUrl": "/co/authenticate"
}

saenzramiro8 · July 19, 2018, 1:27am

BTW, I’m using Lock via CDN and not via Node. Maybe this is the problem?

saenzramiro8 · July 23, 2018, 3:29pm

Please any answer? I need to solve this ASAP.

luke.oliff · July 23, 2018, 4:05pm

Hey @saenzramiro8

Can you provide a little more detail? Possibly a link to your code (without sensitive keys/info). That would be really helpful.

saenzramiro8 · July 23, 2018, 6:03pm

Here’s the code: Auth0 Bug · GitHub

SSO using Google or Facebook works ok, but only “Username-Password” from Auth0 don’t work.

If you need more details, please let me know.

saenzramiro8 · July 25, 2018, 2:22pm

@luke.oliff Any help?

luke.oliff · July 25, 2018, 3:57pm

Hey @saenzramiro8, i’m still here! Just looking into it now with a couple of helpful engineers

luke.oliff · July 25, 2018, 4:06pm

So hey @saenzramiro8, we have been discussing Electron use internally for a little while. I think your issue could be that the flow you’re using isn’t designed to be used in Electron.

We’re currently recommending Electron apps use the Authorization Code Grant + PKCE, as we would recommend with native apps.

Here is a guide to setting that up: Call Your API Using the Authorization Code Flow with PKCE

My limited understanding of this issue is that using Implicit Grant instead of Authorization Code Grant + PKCE is that it is vulnerable to a local app acting as a fake endpoint for the token, essentially becoming a man-in-the-middle attack that can take your token (and maybe pass it back to Electron, so you never know!)

The specific CORS error you’re running into is probably related to not being able to register a local domain on our dashboard as an origin, I’m not sure you’d want to either. It wouldn’t be very secure due to the man-in-the-middle attack risk.