Responses from restheart-security should contain CORS header access-control-expose-headers including all the values Location, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By
We're interested especially in Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location here.
Current Behavior
Restheart responds with access-control-expose-headers: Location, ETag, X-Powered-By. Restheart security checks that CORS headers are already present and does not alter them. Since Restheart security cares about the auth tokens and all of that, the header values access-control-expose-headers: Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location are not allowed to be read by browser-side javascript.
Context
we're moving to the new restheart major release 4.0+
Environment
n/a
Steps to Reproduce
Use Restheart-security and restheart
Send Request with valid basic auth credentials to Restheart-Security
Observe header access-control-expose-headers.
Possible Implementation
If access-control-expose-headers is present, add relevant values instead of simply accepting what downstream restheart did.
Expected Behavior
Responses from restheart-security should contain CORS header
access-control-expose-headers
including all the valuesLocation, ETag, Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location, X-Powered-By
We're interested especially in
Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location
here.Current Behavior
Restheart responds with
access-control-expose-headers: Location, ETag, X-Powered-By
. Restheart security checks that CORS headers are already present and does not alter them. Since Restheart security cares about the auth tokens and all of that, the header valuesaccess-control-expose-headers: Auth-Token, Auth-Token-Valid-Until, Auth-Token-Location
are not allowed to be read by browser-side javascript.Context
we're moving to the new restheart major release 4.0+
Environment
n/a
Steps to Reproduce
access-control-expose-headers
.Possible Implementation
If
access-control-expose-headers
is present, add relevant values instead of simply accepting what downstream restheart did.