Open thehabes opened 8 months ago
tag:reminder. This ought to be mentioned in each issue that needs it. There are some internal API issues that will not be CORS
Yes. If we are not going to register it as middleware in app.mjs
then each route that needs it will have to import the cors
package and set cors for the route.
This is coming up in a lot of routes, obviously, and I think we may be at risk of damaging work being done by @CenterForDigitalHumanities/oss-tpen-services and @CenterForDigitalHumanities/administrators.
The big cut-paste cors config may change slightly or become hard to maintain and is largely repeated anyway. The cors might be attached where the routes are attached, which will also be a place where auth can be inserted app.use('/line', [cors, auth], lineRouter)
which is useful for centralizing the control of it and not repeating code. However, this applies to all routes at that path at this level, which isn't ideal.
Another option is to separate it and just apply the router twice, so app.get('/line',cors(),lineRouter) ahead of
app.use('/line',[cors,auth],lineRouter)would send requests to
lineRouter` without authentication in a GET.
Regardless, if cors is reused across files with the same configuration, we should export a configured cors within our project for reuse. Also, if cors is invoked only inside of the routes, then we should also only apply cors to the valid routes.
Certain endpoints need to do CORS headers. Use the node 'cors' package middleware on the routes which need cors headers.
Expect to use the following headers and values