CORS protection active when same-origin

[spocon]

Describe the bug
Trying to make a frontend work by using your API but i keep getting rejected because CORS Filters are still active.

ApiServer == localhost:3455
HttpServer Frontend = localhost:1234

Because its the same domain and CORS is active i get "Same-Origin" CORS back

I tried to overwrite your ApiServer class to make it work but this undertow-cors-filter is garbage and not working.

They found a solution here:

https://stackoverflow.com/questions/42066845/how-to-enable-access-control-allow-origin-in-undertow

but that would mean i have to overwrite your AbsSessionHandler.class . At that point i gave up otherwise i needed to rewrite your whole API :-P

Could you please add this to your AbsSessionHandler.class :

exchange.getResponseHeaders().put(new HttpString("Access-Control-Allow-Origin"), "*"); exchange.getResponseHeaders().put(new HttpString("Access-Control-Allow-Methods"), "GET, POST, PUT, DELETE"); exchange.getResponseHeaders().put(new HttpString("Access-Control-Allow-Headers"), "*");

[spocon]

Have you thought about it to write a Spring Boot 2 Rest API ? Its super simple and much better than this Undertow. If you like i could write it ?

[spocon]

created pull request https://github.com/librespot-org/librespot-java/pull/189/files

[lkwg82]

I made a PR #161 to add this already in december.

It was somehow lost. I guess mainly because I was too lazy to add tests :|.

@spocon Can u make better than me? Plz add some test. Else it will break again soon.

[spocon]

Hi lkwg82 ,

That would be a integration test than, because with a normal JUnit test is nothing to test. We would need to install a Rest client like Rest Assured and run a server and check the response if the Allow Origin is in the response. Thats quite a lot of work and at least 3 more test packages in pom for such a small task. I made a manual test instead and checked if it works

[spocon]

This undertow is giving me hug headache. I should have known when I read that it's from JBOSS... Anyway, the response is correct thought the request is still blocked , especially request method OPTIONS is needed to get the information of Allow-Origin. Since undertow lacks of the simplest features of a http server I have no choice as rewrite the API( using spring boot 2)

[devgianlu]

Since undertow lacks of the simplest features of a http server I have no choice as rewrite the API( using spring boot 2)

I don't think I will accept a rewrite of the API. Undertow allows for a much larger level of flexibility (in my opinion) and the API is very lightweight.

Allowing any origin is just fine.

[spocon]

Yes but its still not working. Even if you add my changes. I think its best if I start my own project for the frontend and include your librespot-java core library only, with that approach i don't need two HttpServers running in the same time and wont run into the same issue.

[devgianlu]

Could it be an issue with the browser? https://stackoverflow.com/questions/10883211/deadly-cors-when-http-localhost-is-the-origin

[spocon]

I don't believe its the browser, i have used firefox and the restriction is clearly on server side.

I make quite good progress with the new REST API 👍

https://github.com/spocon/lovspotify

First working version with /player/current is working

as well as :

• /volumeup
• /volumedown

I think i will be finished in a few days

If you change you mind i would be happy to give you the code

[lkwg82]

I will have a look at this, because I like to upgrade my lib version.

[devgianlu]

@spocon The idea of having a complete frontend is pretty nice and I think it's better if you design it yourself to achieve much better results. The API in this project is meant for very basic usage from a terminal or simple script calls, not really a browser.

Keep it going!

[lkwg82]

@spocon

Just as a side note: I did a spare time project in december to replace my internet radio after it broke and I integrated it with spotify in the ui: https://lkwg82.github.io/webradio/ (https://github.com/lkwg82/webradio/) and it works with CORS.

run locally the api-server and open the url