apollographql / router

A configurable, high-performance routing runtime for Apollo Federation 🚀
https://www.apollographql.com/docs/router/
Other
790 stars 261 forks source link

CORS: list of trusted domains with credentials enabled + all other domains enabled for CORS but without credentials #2664

Open voslartomas opened 1 year ago

voslartomas commented 1 year ago

Is your feature request related to a problem? Please describe. We have list of "trusted" domains, for which we would like to enable Access-Control-Allow-Credentials as we have some old applications accessing gateway, which uses cookies for authentication. But at the same time this gateway is publicly accessible so for all the other domains we would like to keep it without Credentials.

Also at the moment we are able to define only list of origins for which CORS will work, but we need to enable CORS for every single domain, but enable credentials for only few of them (our trusted ones)

Describe the solution you'd like It would be handy to have configuration option with one list for secured/trusted domains and be able to enable Credentials and rest would be disabled.

Describe alternatives you've considered Alternative would be to probably write our own plugin for this.

Samjin commented 5 months ago

Response header can be updated in plugins, but in the case of preflight request, it doesn't reach to router service. Same time we also can't use _allowcredential because it'll apply to all requests regardless of origin.

smyrick commented 3 months ago

Some config format like this is something that could help us

cors:
  allow_any_origin: true
  origins:
    - https://xx/
      allow_credentials: true