CORS Environment Variables Issue
emmanuel97423
HOBBYOP

2 months ago

Subject: Persistent CORS Configuration Issues with Environment Variables

Hello Railway Support Team,

I am experiencing persistent issues with CORS (Cross-Origin Resource Sharing) configuration in my production environment, and I believe there may be an issue with how Railway handles environment variables that contain URLs.

Problem Description

My application is a Medusa.js e-commerce backend deployed on Railway. Despite following all recommended practices, I continue to encounter CORS errors when my frontend (also on Railway) tries to communicate with the backend API.

Current Setup

  • Backend Serviceutamamarket-production.up.railway.app

  • Frontend Serviceutama-frontend-production.up.railway.app

  • Framework: Medusa.js v2.12.5

  • Environment: Production

Environment Variables Configuration

I have configured the following CORS-related environment variables in Railway:

STORE_CORS=https://utama-frontend-production.up.railway.app
ADMIN_CORS=https://utama-frontend-production.up.railway.app
AUTH_CORS=https://utama-frontend-production.up.railway.app

Important: I have configured these values WITHOUT quotes in the Railway dashboard, as per Railway's documentation.

Issues Observed

1. Inconsistent Environment Variable Parsing

I have noticed that Railway may be adding quotes or modifying the environment variable values in ways that are not visible in the dashboard but affect how my application reads them. This has forced me to implement workarounds in my code to clean these values, which goes against best practices.

2. CORS Preflight Requests Failing

When my frontend makes requests to the backend, the OPTIONS preflight requests are failing. In the logs, I can see:

OPTIONS /admin/publishable-keys - Status: 401

However, these should return 204 No Content with appropriate CORS headers. The requests are coming from the correct origin (https://utama-frontend-production.up.railway.app), which matches the STORE_CORS and ADMIN_CORS values.

3. CORS Headers Not Being Set Correctly

Even when the backend receives requests, the CORS headers (Access-Control-Allow-OriginAccess-Control-Allow-Methods, etc.) are not being set correctly, causing the browser to block the requests.

What I've Tried

  1. Verified variable values: Confirmed that the CORS variables are set correctly in Railway dashboard (without quotes, with full HTTPS URLs, no trailing slashes)

  2. Checked application code: My medusa-config.ts file correctly reads these environment variables:

    http: {
  storeCors: process.env.STORE_CORS || "http://localhost:3000",
  adminCors: process.env.ADMIN_CORS || "http://localhost:3000",
  authCors: process.env.AUTH_CORS || process.env.ADMIN_CORS || process.env.STORE_CORS || "http://localhost:3000",
}

  3. Implemented workarounds: Previously added custom parsing functions to clean quotes and whitespace from environment variables, but removed them to follow Medusa.js best practices

  4. Tested locally: The same configuration works perfectly in local development

  5. Verified Railway documentation: Followed Railway's guidelines for environment variable configuration

Questions for Railway Support

  1. Does Railway automatically add quotes or modify environment variable values?

    • If yes, is this documented somewhere?

    • Is there a way to prevent this behavior?

  2. Are there any known issues with environment variables containing URLs?

    • Specifically for CORS configuration

    • Any special characters or formats that cause issues?

  3. How can I verify the exact value that my application receives?

    • Is there a way to see the raw environment variable values in Railway logs?

    • Can I access the actual parsed values at runtime?

  4. Are there any Railway-specific considerations for CORS configuration?

    • Any headers or settings that Railway adds/removes that might interfere?

    • Any proxy or load balancer configurations that affect CORS?

Requested Assistance

I would appreciate if Railway support could:

  1. Verify the environment variable values in my production environment to confirm they are stored exactly as I configured them (without any automatic modifications)

  2. Check if there are any Railway-specific issues that might be interfering with CORS headers or environment variable parsing

  3. Provide guidance on the best way to configure CORS-related environment variables in Railway for Medusa.js applications

  4. Investigate if there are any known bugs or limitations related to environment variables containing URLs or special characters

Additional Information

  • Project IDf7fefab7-1e1a-42d9-989f-d20223bb9f86

  • Environment ID385377f0-b5ef-4f4f-9ffb-6ecdbf6c89f8

  • Backend Service ID475120f3-ca87-4e90-aa6d-630332db4441

  • Recent Deployment94abdf22-6598-4ced-8124-ce46896a731e

I can provide additional logs, configuration files, or any other information that would be helpful for troubleshooting.

Thank you for your assistance.

Best regards,

$10 Bounty

1 Replies

darseen
HOBBYTop 5% Contributor

2 months ago

I think that your auth middleware is running before the cors middleware.

You noted: OPTIONS /admin/publishable-keys - Status: 401 A 401 (unauthorized) on a preflight (options) request might mean that the auth middleware is running before the cors middleware.

If this were just an env vars problem, the cors middleware would usually let the request pass through without headers, resulting in a browser cors error, or return a 204 but rarely an unauthorized status code (401).

Loading...