tung2744
commented
7 months ago @louischan-oursky Not sure if we should do it, what do you think?
Open tung2744 opened 7 months ago
tung2744
commented
7 months ago @louischan-oursky Not sure if we should do it, what do you think?
tung2744
commented
7 months ago Maybe it is not a good idea to allow localhost in production https://community.auth0.com/t/why-localhost-is-not-recommended-as-an-allowed-callback-or-origin-for-production/46668/11
tung2744
commented
7 months ago I've checked how auth0 and google handled cors.
Google has separated config for allowed origin:
And auth0 also has similar config: https://auth0.com/docs/get-started/applications/set-up-cors
It seems what we should do is to separate allowed origin config from redirect uris.
@fungc-io @louischan-oursky
louischan-oursky
commented
7 months ago We do have separate allowed origins http.allowed_origins but it is not client-specific. Maybe we should add client-specific allowed origins.
tung2744
commented
7 months ago I think we mainly want the user to be able to set it in portal, so they can add allowed origins for the capacitor app.
Currently we need to configure the following redirect uris when using capacitor app, or there will be CORS error:
We should consider always allow these origins in server. Or even always allow localhost?