function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Niek van SleeuwenNiek van Sleeuwen 

When token is missing or expired CORS error returned instead of 401

Hi,

I am developping a Salesforce integration in a web aplication. I can login and request data with the received token. I try to catch the 401 response when the token expires, however I get a CORS error when I don't include the Authorization header or pass in an expired token. Could anyone help me how to solve this? I need to implement a token refresh strategy by listening to a 401 response.
VinayVinay (Salesforce Developers) 
Hi Niek,

Have you whitelisted origin URL in  CORS allowlist

https://developer.salesforce.com/docs/atlas.en-us.chatterapi.meta/chatterapi/extend_code_cors.htm

Thanks,
Niek van SleeuwenNiek van Sleeuwen
Hi Vinay,

The origin is whitelistes. I can request everything with a valid token. There are no cors issues then. This happens specifically with an expired token or empty authorization header. Instead of the expected 401 I get a cors error response. It looks like the absence of a token or an invalid token is not handled correctly for cors requests. 
VinayVinay (Salesforce Developers) 
Do you see same error when you test using POSTMAN?  If not sure can you try using API test tools to check results.

Thanks,
Niek van SleeuwenNiek van Sleeuwen
Hi Vinay,

There are no issues with Postman. It is a specific browser issue. Somehow the Access-Control-Allow-Origin is only sent back if a request contains a valid access token. However, this prevents me from checking when an access token is expired and the refresh token should be used to request a new access token.
VinayVinay (Salesforce Developers) 
Do you have any simple narrow down scenario so that I can check?

Thanks,
Niek van SleeuwenNiek van Sleeuwen
Running the following code from the console on either http://localhost or http://localhost:8080 returns a CORS error, because Salesforce doesn't add the Access-Control-Allow-Origin header in its response. Note that I removed the access token, this is on purpose to simulate an invalid token. This response should give me a 401 response saying the token is invalid or expired. I also tried without a the Authorization header, or with a valid token, given to me by Salesforce through oauth authentication, that was expired.

Please note that you have to run it from http://localhost or http://localhost:8080, as these two are whitelisted in the cors settings for this sandbox environment.

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
myHeaders.append("Authorization", "Bearer null");
myHeaders.append("Cookie", "BrowserId=1-AzrmCKEeuqlK38s4sJwA");
var requestOptions = {
  method: 'GET',
  headers: myHeaders,
  redirect: 'follow'
};
fetch("https://bridge2-dev-ed.my.salesforce.com/services/data/v50.0/sobjects", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

If you need a more complete example, I can give you a github repo to clone later.
Martin ZingorMartin Zingor
Any update on this topic? I have the same issue. 
Martin ZingorMartin Zingor
Cors works for valid token, but doesnt work for not valid. 
BoothleadsBoothleads
We also have the exact same issue. CORS headers should be included regardless of the access token. Otherwise there's no way to detect an expired access token.