Add "Access-Control-Allow-Credentials" header support

[ribugent]

Hello,

working on a company project, we have a frontend that makes CORS requests and uses cookie-based authentication.

Our cors requests were failing because the header Access-Control-Allow-Credentials was missing, so we have added it on our implementation.

It would be nice the plugin supports this kind of requests, so here's a pr that adds this feature, of course, it's off by default to avoid any issues for projects using it.

Hope this helps!

[jhthorsen]

How is this simpler than just setting the "Access-Control-Allow-Headers" header directly?

[ribugent]

I've just tested to be sure, and unfortunately it doesn't work.

To use cookie-based authentication in cors requires to enable credentials on fetch js code. Enabling this option forces the browser to do a preflighted request, and the Access-Control-Allow-Credentials header is always expected, otherwise, it blocks the request.

The only way is to return the header Access-Control-Allow-Credentials.

[jhthorsen]

Please provide an example app where it doesn't work to set the header manually.

[jhthorsen]

I'm sorry, but I have to close this now. Maybe you want to try something like this in your spec:

paths:
  /whatever:
    responses:
      200:
        headers:
          Access-Control-Allow-Credentials:
            type: string
            default: 'true'

Another way could be using https://docs.mojolicious.org/Mojolicious#before_render, https://docs.mojolicious.org/Mojolicious#around_action or a custom route using https://metacpan.org/pod/Mojolicious::Plugin::OpenAPI#route1.