cubap
commented
8 months ago tag:reminder. This ought to be mentioned in each issue that needs it. There are some internal API issues that will not be CORS
Open thehabes opened 8 months ago
cubap
commented
8 months ago tag:reminder. This ought to be mentioned in each issue that needs it. There are some internal API issues that will not be CORS
thehabes
commented
8 months ago Yes. If we are not going to register it as middleware in app.mjs then each route that needs it will have to import the cors package and set cors for the route.
cubap
commented
8 months ago This is coming up in a lot of routes, obviously, and I think we may be at risk of damaging work being done by @CenterForDigitalHumanities/oss-tpen-services and @CenterForDigitalHumanities/administrators.
The big cut-paste cors config may change slightly or become hard to maintain and is largely repeated anyway. The cors might be attached where the routes are attached, which will also be a place where auth can be inserted app.use('/line', [cors, auth], lineRouter) which is useful for centralizing the control of it and not repeating code. However, this applies to all routes at that path at this level, which isn't ideal.
Another option is to separate it and just apply the router twice, so app.get('/line',cors(),lineRouter) ahead ofapp.use('/line',[cors,auth],lineRouter)would send requests tolineRouter` without authentication in a GET.
Regardless, if cors is reused across files with the same configuration, we should export a configured cors within our project for reuse. Also, if cors is invoked only inside of the routes, then we should also only apply cors to the valid routes.
Certain endpoints need to do CORS headers. Use the node 'cors' package middleware on the routes which need cors headers.
Expect to use the following headers and values