Search code examples
javascriptnode.jssocketsvtigervtigercrm

socket.io, vTiger, and csrf-magic.js. CORS issues


I'm attempting to create and add a socket.io module to my vTiger 7.0 so that I can update fields in real-time to multiple users.

We are have issues with users changing fields that should be locked while our quality control is attempting to check the record. This is causes things to get approved that should not. Node.js with vTiger will be awesome add-on.

The only problem is that vTiger uses csrf-magic.js to create a token that need to be included in the header to allow CORS

I have the middleware setup in my node project to allow my vtiger to make a request

vTiger is on vtiger.example.com

The node server is on node.example.com:3010

//server code node.example.com:3010
const fs = require("fs");
const config = require("./core/config").config();
var options = {
    key: fs.readFileSync(config.key),
    cert: fs.readFileSync(config.cert),
    ca: fs.readFileSync(config.ca),
    requestCert: true,
    rejectUnauthorized: false,
};

const app = require("express")();
const server = require("https").Server(options, app);
const io = require("socket.io")(server);
// Need to send io to socket module

module.exports = io;
app.use(function (req, res, next) {
    var allowedOrigins = [
        "https://node.example.com",
        "https://vtiger.example.com"
    ];
    var origin = req.headers.origin;
        if (allowedOrigins.indexOf(origin) > -1) {
        res.setHeader("Access-Control-Allow-Origin", origin);
    }

    res.header("Access-Control-Allow-Methods", "GET, OPTIONS");
    res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
    res.header("Access-Control-Allow-Credentials", true);
    
    return next();
});

io.sockets.on("connection", require("./sockets/socket.js"));

const qc = require('./models/qc_model');
app.get('/', (req,res) => {
    res.json({message: 'No Access'});
})

qc.pullLeadInfo(13622196, 10730, (data) => {
    console.log(data.lead.lsloa_ver_by);
});
    




//Start the server
server.listen(config.port, () => {
    console.log("server listening on port: " + config.port);
});
\\client side vtiger.example.com
var socket = io.connect('https://node.example.com:3010');

I get this error

Access to XMLHttpRequest at 'https://node.example.com:3010/socket.io/?EIO=4&transport=polling&t=NmEEc_r' from origin 'https://vtiger.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
csrf-magic.js:41 GET https://node.example.com:3010/socket.io/?EIO=4&transport=polling&t=NmEEc_r net::ERR_FAILED

I cannot find any good documentation dealing with this issue. Any help would be great!


Solution

  • Found the information here

    https://github.com/socketio/socket.io/issues/3929

    
    // Server
    
    io.engine.on("headers", (headers) => {
      headers["Access-Control-Allow-Private-Network"] = true;
    });
    
    // Client
    
    const socket = io({
      extraHeaders: {
        "Access-Control-Request-Private-Network": true
      }
    });