'Access-Control-Allow-Origin' header not being sent

[SelectSweet]

I am getting a constant Cors header related error, despite the origin being set in the CorsLayer, is their something or multiple things i need to add or remove to fix this or is their something else i need to do to fix this issue

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8000/api/login. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

let origins = [
        "http://localhost:3000/".parse::<HeaderValue>().unwrap(),
        "http://localhost:3000/Feed".parse::<HeaderValue>().unwrap(),
 ];

let cors = CorsLayer::new()
        .allow_methods([Method::GET, Method::POST, Method::OPTIONS, Method::HEAD])
        .allow_origin(origins)
        .allow_headers([ORIGIN, ACCESS_CONTROL_REQUEST_HEADERS, CONTENT_TYPE, COOKIE, ACCESS_CONTROL_ALLOW_ORIGIN])
        .allow_credentials(true)
        .expose_headers([CONTENT_TYPE, ACCESS_CONTROL_REQUEST_HEADERS, ORIGIN])
        ;

[jplatte]

I'm pretty sure all of those headers in the allow list are pointless except for content-type (which should be partially allowed by default, i.e. for some values). Your expose-headers also seem.. bogus. I would suggest to leave them off unless you are actually having trouble with reading a certain response header value. C.f. CORS-safelisted request header, CORS-safelisted response header.

As to your actual problem, it's impossible to tell what's wrong without seeing what the request and response look like. Can you copy-paste the request and response headers from your browser's network tab? (in Firefox this is right click on a particular request > "Copy Value" > "Copy Request Headers" / "Copy Response Headers")

[SelectSweet]

Request Header

POST /api/login HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:3000/
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://localhost:3000
DNT: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Pragma: no-cache
Cache-Control: no-cache

Response Header

HTTP/1.1 200 OK
content-type: application/json
set-cookie: id=7f7866e2-d575-48bd-a80d-ea3854b82f74
content-length: 9
access-control-allow-credentials: true
vary: origin, access-control-request-method, access-control-request-headers
access-control-expose-headers: content-type,access-control-request-headers,origin
date: Fri, 08 Sep 2023 09:19:36 GMT

[jplatte]

Oh, I didn't pick on up it before, but the problem is actually with your allowed origin, it's not a valid origin at all! An origin never includes the path. You just have to change to .allow_origin("http://localhost:3000".parse::<HeaderValue>().unwrap()).

[SelectSweet]

that fixed it