[sign_in_with_apple] Suggestion: Add CORS instructions to documentation

[duncan-iaria]

Hey there — I ran into an issue when implementing the server side code. I'm running an express server and have some CORS whitelisting happening. Turns out I needed to add https://appleid.apple.com to the allowed list.

This might be a nice note to put in the server section of the README as it stumped me for a bit (and I ended up just guessing that https://appleid.apple.com was the correct URL — sure enough it worked).

Thanks for the great package!

[HenriBeck]

@duncan-iaria where exactly did you run into issues with CORS? You are saying that appleid.apple.com somehow requested your domain?

[duncan-iaria]

That's correct — when completing the Android flow (at the Sign in with Apple webview portion) it appears that Apple's servers call that /callback endpoint with the granted token. So when you input your Apple ID and PW and it's valid, Apple sends the granted token to the /callback endpoint. If you've got CORS enabled but you havne't whitelisted https://appleid.apple.com, you'll see at 500 CORS Error in the webview instead of the deeplink opening with the token.

That's my understanding of whats happening anyway. I guess to confirm that you could add CORS to the glitch example and see what happens.

[eripe970]

Had the same issue, think it would be good with an update to the README.