CORS

[ViGrad]

@justinrlle @Shenrak

Well, I have a big problem of cross origin request. Here is an error text that I have when I try to request anything to the server:

XMLHttpRequest cannot load http://localhost:8085/users/auth. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'null' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I investigated a little bit, so I am almost sure that it is a server side problem

[justinrlle]

Just to helps things, here is a link to the MDN doc (french here). I need to further investigate this.

[justinrlle]

@ViGrad, are you sure you need to do the withCredentials in the request? From what I've read, it allows to pass along all the cookies and some other things, but because we're doing it with JWT, that we should pass through a header field, then there is no need for cookies... At least I think.

To be clear, the spec doesn't allow requests withCredentials if the server doesn't explicitly allow the server from where the request is coming from.

So we have two possibilities:

• We do it with the JWT header, just like I said earlier.
• The front is not merely served statically, there is a real server, and this server proxy the calls.

To me, the simplest one is obviously the first, even though the second, if done right, can be interesting.

[ViGrad]

Yeah that's it! Thank for this answer