Fix CORS when using credentials headers #58
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this does
The goal of this PR is to fix CORS issues when using credentials.
In my setup, I am using lucia to manage authentication.
The server being on different port than my main app, I needed to use CORS, but got issues with credentials.
My setup
My setup is very specific. It might be the cause of the issues I encountered but maybe others will too at some point.
I am using sveltekit for my webapp. rxdb-server is installed as a dependency meaning it is both built for the server and shipped to the client.
As I cannot simply route traffic to rxdb-server endpoints with sveltekit (still working on that, it would be really cool to have a specific "plug&play" sveltekit adapter), I am simply running the rxdb-server on a different port.
In my authHandler for rxdb-server, I use lucia to authenticate the client like this:
const sessionId = auth.readSessionCookie(requestHeaders.cookie);
if (sessionId) {
const session = await auth.validateSession(sessionId);
...
}
I am running the server in sveltekit "dev mode" (with Vite) on port 5173 as you will see in the errors I copied here.
I used the options { cors: 'http://localhost:5173' } both when declaring my server and my endpoint.
The errors
First I got the two following errors:
I added the option 'credentials: true' in the setCors function of adapter-express/index.ts but still got
For both /pullStream and /pull?lwt=0&id=26&limit=100
Leading me to simply bypass the setCors function when credentials are used to declare the CORS options server-wide and not from specific endpoints.
I then got the following error:
Which was fixed by adding credentials: 'include' in each fetch requests in replication-server/index.ts
Conclusion
While this may not be the optimal way to achieve the expected results, it does indeed fix my issues and doesn't seems to have any impact on existing instances as all fields are optionals.
This does however means that premium server adapters (which I cannot access) must include a "enableCredentials()" method since i changed the RxServerAdapter type. This shouldn't be a big deal tho.
Feel free to critique this PR, I was not really familiar with CORS before this. My only goal is to get it working properly but if it can be done a better way I would love to see how.