Examine CORS & CSRF configurations installed by this project

[AShroti]

Expected Behaviour

This project installed CSRF & CORS configurations that conflict with OOTB AEM. The following configurations need to be examined and adjust/removed to ensure it doesn't conflict with AEM anymore:

https://github.com/adobe/aem-guides-wknd/tree/master/ui.config/src/main/content/jcr_root/apps/wknd/osgiconfig/config.author

Actual Behaviour

The OOTB expected POST/PREFLIGHT requests on Author are getting blocked due to custom CSRF & CORS configurations installed by this project.

The configs exist at https://github.com/adobe/aem-guides-wknd/tree/master/ui.config/src/main/content/jcr_root/apps/wknd/osgiconfig/config.author

Reproduce Scenario (including but not limited to)

The content can't be accessed using AEM GraphaQL APIs is this WKND Sites project is installed on the author instance.

Steps to Reproduce

The Headless Admin App doesn't work with the instance if this WKND Sites project is installed.

Platform and Version

Sample Code that illustrates the problem

Logs taken while reproducing problem

[AShroti]

The localhost enabled for the CORS through the config, but this package getting installed on all the environments from Dev to Stage & Prod. Whereas the localhost specific settings should just be enabled for the Dev environment only. I recommend to have this config specifically at the Project level (through the Dev-enablement setup).

As part of the fix under this issue, I am removing the CORS config (which was added to enable the localhost) as it creates a conflict with the OOTB AEM configuration.

As part of the commit, the WKND specific content endpoint is introduced and enabled at CSRF configuration. Hence not removing the CSRF config completely, rather just fixing the conflict with the OOTB AEM. CC: @godanny86 @gknobloch

[AShroti]

Raised the PR: https://github.com/adobe/aem-guides-wknd/pull/303

[godanny86]

Thanks @AShroti! we added the CORs config to make it easy for users to connect a locally running React JS app [1] to an AEM cloud service environment to test out GraphQL in a completely headless way. By removing the CORs config completely won't this break that? There are multiple documents like [0] that rely on the pre-configured setup of WKND, so we need to be careful here.

I'm also not familiar Headless Admin App, is that publicly available?

What would you suggest?

[0] - https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/graphql/quick-setup/cloud-service.html?lang=en [1] - https://github.com/adobe/aem-guides-wknd-graphql/tree/main/react-app

[gknobloch]

I've seen a suggestion from @jasghar to change the default product config to /content/cq:graphql/.*/endpoint.json

[godanny86]

yeah if the product open those up by default it would be great, especially since you have the option to publish/unpublish the endpoint...

@AShroti I'm also a little confused as to why a CORs config would conflict with ootb functionality? You can have multiple CORS configs via a factory

[AShroti]

I've seen a suggestion from @jasghar to change the default product config to /content/cq:graphql/.*/endpoint.json

I hope you meant the following:

1. Include the generic config /content/cq:graphql/.*/endpoint.json at the AEM OOTB
2. Then remove the CSRF config altogether from the WKND Site

I will raise the PRs on both (AEM OOTB & WKND). Let me know if I have missed something.

[AShroti]

@AShroti I'm also a little confused as to why a CORs config would conflict with ootb functionality? You can have multiple CORS configs via a factory

Yes, there was no conflict in this case. I have restored the CORS config back.