search

izderadicka / audioserve

Simple personal server to serve audiofiles files from folders. Intended primarily for audio books, but anything with decent folder structure will do.
712 stars 36 forks source link

Can the --cors option be changed to allow setting a specific domain #62

Closed KodeStar closed 2 years ago

KodeStar commented 3 years ago

Responses' CORS headers are totally permissive, allowing access from all origins and with any additional headers, so this should be used rather in development.

Can the option be updated so a specific domain can be set?

image That is only true if it's possible to get responses from the server :)

Not everyone is going to want to run their server allowing access from all origins, especially as it's discouraged in the readme.

izderadicka commented 3 years ago

Yes it can be done and should not be very difficult. But I do not see it as priority now, because: a) Normally you serve web client from audioserve - so it is same origin and --cors is not needed b) Even if served separately , usually audioserve will be under reverse proxy (if nginx etc. it can also serve static content) - so again it can be setup there to be same origin.

So --cors is practically for development - in production there are better ways as described above.

KodeStar commented 3 years ago

Yes, normally I would agree, but if I’m going to need to use something like firebase to sync data you don’t want included on the server, then I’m going to need to host a version so people who don’t want to create a firebase account can still use it.

izderadicka commented 3 years ago

I think I understand now - the client will be hosted independently, by you - any user can use this shared client - they will just need to connect it to their audioserve instance - something like Jamstash or Subfire for SubSonic API. In this case it makes much more sense, indeed. Though it just limits which browser locations can use API, for custom client it'll be still accessible from anywhere. This will need probably bit more explanation in readme too.

KodeStar commented 3 years ago

I will host the client independently (on github pages so it's all transparent) to make it easier for anyone to get started but that wont be the only option. I'm currently looking at PouchDB/CouchDB as somewhere to store the data and have realtime syncing and offline support. So people can go down a few routes (for reference Audiosilo is what I've called the webclient):

  1. Install audioserve / replace the webclient with Audiosilo / Install CouchDB / Configure the webclient to connect to CouchDB
    • No cors issues with this setup
  2. Install audioserve / Install Audiosilo / Install CouchDB / Configure the webclient to connect to CouchDB
    • Cors issues, but everything is self contained
  3. Install audioserve / Use hosted client
    • Cors issues, but simpler to get up and running, though will only work over https

The client has always had an input field for setting the location of the Audioserve server, once you "login" that location is saved to indexeddb so you don't need to enter it again (you can "logout" to change it)

izderadicka commented 2 years ago

--cors can now (in v0.17.0) contain regular expression of allowed origin