Failed by CORS on Signup

Hello there,

Recently I started to get an error on every signup using “Username-Password-Authentication”. The app is an Electron app, so the website is loading using file://. The thing is that I cannot add it file:// under Allowed Web Origins in the client because of the validation. I tried adding file:/// under Allowed Origins (CORS), allowed me but still cannot sign up, same error.

Here’s the log:

Title Description
Type Failed by CORS
Description Origin file:// is not allowed. Behavior used for check: WEB ORIGINS
RAW
{
  "date": "2018-07-18T18:25:47.917Z",
  "type": "fco",
  "description": "Origin file:// is not allowed. Behavior used for check: WEB ORIGINS",
  "connection_id": "",
  "client_id": "hai2WNByiZuoubumGQvm_cDVT_ooiZsE",
  "client_name": "---",
  "ip": "----",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) --/1.0.2 Chrome/61.0.3163.100 Electron/2.0.4 Safari/537.36",
  "details": {
    "xhr": false,
    "method": "POST",
    "origin": "file://",
    "webOrigins": [
      "http://localhost:9080",
      "http://local.test.com:9080"
    ],
    "headers": {
      "x-forwarded-host": "auth.test.com",
      "x-forwarded-proto": "https",
      "x-forwarded-for": "181.231.57.18, 172.25.5.203, 172.25.4.186",
      "host": "test.auth0.com",
      "content-length": "214",
      "x-forwarded-port": "443",
      "x-amzn-trace-id": "Root=1-5b4f862b-eb857330e6e954b5a39095be",
      "auth0-client": "----",
      "origin": "file://",
      "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ----/1.0.2 Chrome/61.0.3163.100 Electron/2.0.4 Safari/537.36",
      "content-type": "application/json",
      "accept": "*/*",
      "accept-encoding": "gzip, deflate",
      "accept-language": "es-419",
      "cookie": "auth0=s%3A78V-24OpR5u5wKiO-G4335WvamU7THFW.WTYBxFyXOF1zrDF%2F64pzyPql8bNjeLwqCW8uYZoeDWKU"
    },
    "host": "https://test.auth0.com",
    "originalUrl": "/co/authenticate"
  },
  "hostname": "auth.test.com",
  "auth0_client": {
    "name": "lock.js",
    "version": "11.7.2",
    "lib_version": "9.6.1"
  },
  "log_id": "90020180718182547921869186125519030230960239254072983634"
}

Context

{
  "xhr": false,
  "method": "POST",
  "origin": "file://",
  "webOrigins": [
    "http://localhost:9080",
    "http://local.test.com:9080"
  ],
  "headers": {
    "x-forwarded-host": "auth.test.com",
    "x-forwarded-proto": "https",
    "x-forwarded-for": "181.231.57.18, 172.25.5.203, 172.25.4.186",
    "host": "test.auth0.com",
    "content-length": "214",
    "x-forwarded-port": "443",
    "x-amzn-trace-id": "Root=1-5b4f862b-eb857330e6e954b5a39095be",
    "auth0-client": "---",
    "origin": "file://",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ----/1.0.2 Chrome/61.0.3163.100 Electron/2.0.4 Safari/537.36",
    "content-type": "application/json",
    "accept": "*/*",
    "accept-encoding": "gzip, deflate",
    "accept-language": "es-419",
    "cookie": "auth0=s%3A78V-24OpR5u5wKiO-G4335WvamU7THFW.WTYBxFyXOF1zrDF%2F64pzyPql8bNjeLwqCW8uYZoeDWKU"
  },
  "host": "https://test.auth0.com",
  "originalUrl": "/co/authenticate"
}

BTW, I’m using Lock via CDN and not via Node. Maybe this is the problem?

Please any answer? I need to solve this ASAP.

Hey @saenzramiro8

Can you provide a little more detail? Possibly a link to your code (without sensitive keys/info). That would be really helpful.

Here’s the code: Auth0 Bug · GitHub

SSO using Google or Facebook works ok, but only “Username-Password” from Auth0 don’t work.

If you need more details, please let me know.

@luke.oliff Any help?

Hey @saenzramiro8, i’m still here! Just looking into it now with a couple of helpful engineers :slight_smile:

So hey @saenzramiro8, we have been discussing Electron use internally for a little while. I think your issue could be that the flow you’re using isn’t designed to be used in Electron.

We’re currently recommending Electron apps use the Authorization Code Grant + PKCE, as we would recommend with native apps.

Here is a guide to setting that up: Call Your API Using the Authorization Code Flow with PKCE

My limited understanding of this issue is that using Implicit Grant instead of Authorization Code Grant + PKCE is that it is vulnerable to a local app acting as a fake endpoint for the token, essentially becoming a man-in-the-middle attack that can take your token (and maybe pass it back to Electron, so you never know!)

The specific CORS error you’re running into is probably related to not being able to register a local domain on our dashboard as an origin, I’m not sure you’d want to either. It wouldn’t be very secure due to the man-in-the-middle attack risk.