Ad

How To Make A POST Request To Stripe Endpoint Without CORS Preflight

- 1 answer

Trying to make a basic POST request to Stripe endpoint in Node:

const https = require('https');
const options = {
  hostname: 'connect.stripe.com',
  port: 443,
  path: '/oauth/token',
  method: 'POST',
  headers: { 
    'Content-Type': 'application/x-www-form-urlencoded' 
  }
}

const req = https.request(
  options, res => 
    res.on('data', d => 
      process.stdout.write(d))
)
req.write(data) // client_secret=stripe_sk&grant_type=authorization_code...
req.end()

The response

Failed to load https://connect.stripe.com/oauth/token:
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'http://localhost:3000' is therefore not allowed access. 
The response had HTTP status code 400.  If an opaque response serves your needs, 
set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

server.js

const express = require('express');
const next = require('next');
const nextI18NextMiddleware = require('next-i18next/middleware');
const nextI18next = require('./i18n');
const app = next({ dev: process.env.NODE_ENV !== 'production' });
const routes = require('./routes');
const handler = routes.getRequestHandler(app);

(async () => {
    await app.prepare();
    const server = express();
    nextI18NextMiddleware(nextI18next, app, server);
    server.get('*', (req, res) => handler(req, res));
    await server.listen(3000);
    console.log('Ready on http://localhost:3000');
})();

Wild guess

Looks like something's silently modifying the headers and it's not a simple POST but a POST with some additional headers which, in it turn, trigger a CORS preflight rules.
Using Postman I get expected results and the problem is in headers.

How can I learn what's affecting my POST requests? Any hints would be greatly appreciated!

HTTP 303

Request URL: https://connect.stripe.com/oauth/token
Request Method: GET
Status Code: 303 
Remote Address: 54.187.119.242:443
Referrer Policy: strict-origin-when-cross-origin
content-length: 0
content-security-policy: 
location: https://connect.stripe.com/login?redirect=%2Foauth%2Ftoken
referrer-policy: strict-origin-when-cross-origin
request-id: 1550537522-mreq_9XV0Kp3XVIJYPq
server: nginx
status: 303
strict-transport-security: max-age=31556926; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-ua-compatible: IE=Edge,chrome=1
Provisional headers are shown
DNT: 1
Referer: http://localhost:3000/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

OPTIONS request

Request URL: https://connect.stripe.com/oauth/token
Request Method: OPTIONS
Status Code: 303 
Remote Address: 54.187.119.242:443
Referrer Policy: no-referrer-when-downgrade
content-length: 0
content-security-policy: default-src 
location: https://connect.stripe.com/login?redirect=%2Foauth%2Ftoken
referrer-policy: strict-origin-when-cross-origin
request-id: 1550537522-mreq_9XV0Kp3XVIJYPq
server: nginx
status: 303
strict-transport-security: max-age=31556926; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-ua-compatible: IE=Edge,chrome=1
Provisional headers are shown
Access-Control-Request-Headers: access-control-allow-headers
Access-Control-Request-Method: POST
DNT: 1
Origin: http://localhost:3000
Referer: http://localhost:3000/profile/edit?code=ac_EYThaA5LNla8&state=35N1UGuPHac9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Ad

Answer

You will need to set Access-Control-Allow-Origin to *

For Firebase Cloud Functions you would do this...

res.header('Content-Type', 'application/json');
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'Content-Type');
if (req.method === 'OPTIONS') {
res.status(204).send('');
}

However, I'm not sure which server you're using, so I can't give you the exact code.

Ad
source: stackoverflow.com
Ad