Connect server returns CORS error, works fine in postman

fdrl
fdrl
Community Member

Hello,

I am trying to connect to the 1password API via the connect server.

Currently in our setup we host the connect docker image (https://hub.docker.com/r/1password/connect-sync/) in an ECS AWS instance with some further security layers. However, the frontend is always blocked by CORS. The credentials issued work perfectly well - I have tested them in Postman.

If possible, I would rather not have to create a server specifically to handle CORS. Is there a known workaround for this scenario?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:connect server returns CORS error

Comments

  • Hi,

    Thank you for reaching out.

    Before we get into a solution, let's first make sure that I correctly understand what it is that you solve. Could you clarify what you mean with "the frontend"? Do you have a frontend application that should use Connect?

    Joris

  • fdrl
    fdrl
    Community Member
    edited March 2022

    Hi Joris,

    Yes. So we have a frontend that we want to make RESTful requests to persist credentials to 1password, via the connect server endpoints. As I said in my previous post, we have set up the Connect server per the advice of the 1password documentation.

    _What I was hoping would happen: _

    step 1, A user creates a new set of credentials (email and password) via a web application frontend form with input fields.

    step 2, Once the user is happy with these credentials, they submit the form in a POST request to

    v1/vaults/vault_id/items

    step 3, The credentials are saved to the specific vault (determined by the VAULT_ID) in our company 1password account.

    The problem

    In step 2, the post request is blocked by CORS. When I was testing the endpoints I saw that it does work from Postman.

    I know that creating another server to handle these POST requests would solve the problem, but we would prefer not to have spend extra resources doing so.

    Do you have any suggestions for our case?

    Thank you for replying,
    Rory

  • Hi Rory,

    Thank you for clarifying that. Technically, it would be possible to place a nginx proxy or something similar between Connect and the frontend to set the required CORS headers to allow this request.

    However, we recommend to only supply Connect tokens to and make request to Connect from trusted applications. By supplying a token to the frontend, anyone with access to that frontend can easily extract the token.

    What we recommend instead is adding a server application with a Connect token that handles requests from the frontend and to Connect. Preferably, this also authenticates the users of the application.

    Let me know if you have any other questions.

    Joris

  • fdrl
    fdrl
    Community Member

    Thanks for your reply Joris. I'll give this a try in the next few days.

    Thanks again,
    Rory

  • You're welcome! Let me know if I can help out with anything else.

    Joris

This discussion has been closed.