meilisearch: Cors error returned instead of authentication_error on wrong API key in browser

Describe the bug Previously when integrate MeiliSearch in a browser script and run it without API key or with a wrong API key I would receive a authentication_error. Since v0.15 i receive a CORS error.

To Reproduce Steps to reproduce the behavior:

  1. Launch a MeiliSearch instance with a masterKey
  2. Use the following code in a http file (notice it does not use a master key)
<!DOCTYPE html>
<html>
<head>
  <meta charset='utf-8'>
  <meta http-equiv='X-UA-Compatible' content='IE=edge'>
</head>
<body>
    Indexes:
    <div id="indexes"></div>
</body>
</html>
<script src="../../dist/bundles/meilisearch.umd.js"></script>
<script>
  const client = new window.MeiliSearch({
    host: 'http://127.0.0.1:7700',
  })
  client.listIndexes().then(res => {
    console.log({ res });
    res.map(index => document.querySelector('#indexes').innerHTML = `<div>${index.name}</div>`)
  })
</script>

  1. Open the html file or run a http server using http-server yourhtmlfile.html
  2. Open it on a browser and look at the console

Expected behavior Return the authentication_error body instead of a CORS error as it not clear what failed.

{
  "message": "You must have an authorization token",
  "errorCode": "missing_authorization_header",
  "errorType": "authentication_error",
  "errorLink": "https://docs.meilisearch.com/errors#missing_authorization_header"
}

Screenshots

v.0.15: Screenshot 2020-10-15 at 14 00 37

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (10 by maintainers)

Commits related to this issue

Most upvoted comments

Fixed by the integration of the new search engine in https://github.com/meilisearch/MeiliSearch/pull/1421

Could not reproduce with latest v0.21 so all good for me

The way I reproduce the error is by either adding a wrong API key or a wrong API key. Instead of returning an error telling me I have no authorization, it makes a CORS error. Could you check that your API key is correct on your production server?

Just fixed it ! Sorry, I put the key in the private ENV variables.

The way I reproduce the error is by either adding a wrong API key or no API key. Instead of returning an error telling me I have no authorization, it makes a CORS error. Could you check that your API key is correct on your production server?

After further investigation, this is how to reproduce the problem:

  1. Start a meilisearch server v0.15 > with a master key
  2. Make a call to that MeiliSearch inside your browser without adding a API key
  3. CORS error instead of authentication error body.

Minimal code to reproduce :

<!DOCTYPE html>
<html>
</html>
<script>
  fetch('http://localhost:7700/indexes/movies/search?q=batman').then(res => {
    console.log({ res });
  })
</script>