[Bug]: Access blocked by CORS / missing headers

[klickparkdominik]

Expected behavior

When accessing Pimcore objects via datahub (graphql) I expect to get a valid response without CORS error.

Actual behavior

I get the following error:

Access to fetch at 'https://domainA.com/pimcore-graphql-webservices/myid?apikey=1337' from origin 'https://domainB.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Steps to reproduce

I access Pimcore objects via datahub (graphql) from my VueJS application.

Pimcore is running on: domainA.com
Frontend is running on: domainB.com

This issue started happening after the update to version 1.8.3.
Right now we are on version 1.9.0.

This issue is happening when Pimcore is set to environment dev and production no matter what.

Rebuilding workspaces and clearing cache does not resolve the problem.

I should maybe note that we use a self-hosted pimcore.

[klickparkdominik]

To me it looks like this change introduced the problem: #896

When I revert the change made in file WebserviceController.php it fixes the error.
https://github.com/Egston/pimcore-data-hub/blob/7fb17e26f6108ec2318d9e71427bd275f5c10a40/src/Controller/WebserviceController.php

Basically I require these lines otherwise no access headers are sent:

        $origin = '*';
        if (!empty($_SERVER['HTTP_ORIGIN'])) {
            $origin = $_SERVER['HTTP_ORIGIN'];
        }

        $response = new JsonResponse($output);
        $response->headers->set('Access-Control-Allow-Origin', $origin);
        $response->headers->set('Access-Control-Allow-Credentials', 'true');
        $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
        $response->headers->set('Access-Control-Allow-Headers', 'Origin, Content-Type, X-Auth-Token');

[klickparkdominik]

This is a quick step-by-step guide to reproduce the error.
To demonstrate the problem I use the publicly available pimcore demo project. (https://demo.pimcore.fun/admin - Version 2024.4 as of right now)

1)
Open any GraphQL client for example: https://graphql-web-client.vercel.app/

2)
Use these settings:

• Host / GraphQL endpoint: https://demo.pimcore.fun/pimcore-graphql-webservices/shop
• Query:

{
  getOnlineShopOrderListing {
    edges {
      node {
        id
      }
    }
  }
}

• Headers:

{
  "X-API-Key": "295b86489dca91a4aafaac8315cdb84a"
}

3)
Result is the CORS error, because domains do not match:

4)
No error is happening when using the Pimcore preview, because it's the same domain:

[mcop1]

Hello @klickparkdominik ,
I can reproduce the issue with demo env. Quick question though: Do you have the ouptut cache enabled? (https://docs.pimcore.com/platform/Datahub/GraphQL/#output-cache)

Does enabling/disabling it make a difference?

[klickparkdominik]

Hi @mcop1 ,

thank you for checking and confirming.

When reporting the initial issue above, no pimcore_data_hub key was set in config.yml. So I guess it was disabled because that's the default according to the docs.

Setting output_cache_enabled to true fixed it for me. So for now I will keep it enabled with 1sec lifetime as workaround.

[mcop1]

Thanks for the answer, helps a lot. I will provide a pull request that fixes the problem when the cache isn´t enabled and link it here.

[klickparkdominik]

Resolved by #925