Setting both the 'Origin' and 'Authorization' headers is forbidden

Question

Setting both the 'Origin' and 'Authorization' headers is forbidden

michael-land opened this issue 9 months ago · 9 comments

michael-land commented 9 months ago

Preliminary Checks

I have reviewed the documentation: https://clerk.com/docs
I have searched for existing issues: https://github.com/clerk/javascript/issues
I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)
This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.

Reproduction

https://github.com/clerk/clerk-chrome-extension-starter/tree/v5

Publishable key

pk_test_ZW1pbmVudC1zdW5iZWFtLTUzLmNsZXJrLmFjY291bnRzLmRldiQ

Description

I encountered an issue while setting up Clerk with a browser extension, using https://github.com/clerk/clerk-chrome-extension-starter/tree/v5 as a starting point. After following the setup instructions, I updated the allowed_origins to include my extension ID using this command:

curl -X PATCH https://api.clerk.com/v1/instance \
     -H "Authorization: Bearer MY_CLERK_SK" \
     -H "Content-type: application/json" \
     -d '{"allowed_origins": ["chrome-extension://flfelhfgffaic..."]}'

{
  "errors": [
    {
      "message": "Setting both the 'Origin' and 'Authorization' headers is forbidden",
      "long_message": "For security purposes, only one of the 'Origin' and 'Authorization' headers should be provided, but not both. In browser contexts, the 'Origin' header is set automatically by the browser. In native application contexts (e.g. mobile apps), set the 'Authorization' header.",
      "code": "origin_authorization_headers_conflict"
    }
  ],
  "clerk_trace_id": "ab991588a0088cdc526a2fdd83d614b7"
}

Steps to reproduce:

clone https://github.com/clerk/clerk-chrome-extension-starter/tree/v5
follow clerk extension README set setup host_permissions
add VITE_CLERK_PUBLISHABLE_KEY to env file

Expected behavior:

should work

Actual behavior:

does not work

Environment

System:
    OS: macOS 14.2.1
    CPU: (12) arm64 Apple M3 Pro
    Memory: 88.08 MB / 18.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.11.0 - ~/Library/Caches/fnm_multishells/96079_1711308377063/bin/node
    Yarn: 1.22.21 - ~/Library/Caches/fnm_multishells/96079_1711308377063/bin/yarn
    npm: 10.2.4 - ~/Library/Caches/fnm_multishells/96079_1711308377063/bin/npm
    pnpm: 8.15.1 - ~/Library/Caches/fnm_multishells/96079_1711308377063/bin/pnpm
  Browsers:
    Chrome: 123.0.6312.59
    Safari: 17.2.1

Answer 1 · 2024-03-29T04:54:07.000Z

I have exactly the same issue when follow the instructions from chrome-extension readme

Already patch {"allowed_origins": ["chrome-extension://hffncgjlomhcifdgaagggiemefokmpnp"]} to project

More context: I'm running in content scripts, not sure if it's the root cause. This now is the blocking to my release 🥲

Answer 2 · 2024-05-11T12:45:17.000Z

Faced the same response error, using @clerk/clerk-expo and sign-up with Google
Possible because of this line
https://github.com/clerk/javascript/blob/main/packages/expo/src/singleton.ts#L43

Answer 3 · 2024-05-13T17:23:02.000Z

Hi all,

The issue here is that the ID for the Chrome Extension / Expo application has changed since allowed_origins was set.

This can happen in a number of scenarios, for example, when uninstalling and re-installing a Chrome Extension.

Two options are either update to allowed_origins with the new origin, or to set a unique ID.