Access to fetch at **link** from origin 'http://localhost:3000' has been blocked by CORS policy

Question

I'm trying to exchange the authorization code for an access token for a Google Calendar integration. I was following Using OAuth 2.0 for Web Server Applications. The examples shown there were for Flask, but I'm using Django. The problem is, I can't redirect to authorization_url because it says

Access to fetch at link from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

 @api_view(['GET'])
    def authorize(request):
        flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
            CLIENT_SECRETS_FILE,
            scopes=SCOPES)
        flow.redirect_uri = 'http://localhost:3000/'
        authorization_url, state = flow.authorization_url(
            access_type='offline',
            include_granted_scopes='true')
        response = redirect(authorization_url)
        return response

However in my settings.py I have:

CORS_ALLOWED_ORIGINS = [
"http://localhost:3000",
"http://127.0.0.1:3000",]


MIDDLEWARE = [
    "corsheaders.middleware.CorsMiddleware",
    "django.middleware.common.CommonMiddleware",

    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

Answer 1

You can have a look at this package: https://pypi.org/project/django-cors-headers/

So you can try to add the origin to "Trusted Origins" in Django settings:

CSRF_TRUSTED_ORIGINS = ['www.something.com']

or like that, for all origins (do not recommend):

CORS_ALLOW_ALL_ORIGINS = True