Open paul-tqh-nguyen opened 4 years ago
Currently, we're having hiccups with this:
Access to XMLHttpRequest at 'https://us-central1-swing-dance-scores.cloudfunctions.net/api/login' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This stackoverflow response had a suggestion that we tried below to test via curl (search for "To properly test with" on the page) https://stackoverflow.com/questions/43871637/no-access-control-allow-origin-header-is-present-on-the-requested-resource-whe
pnguyen@pnguyenmachine:~/code/swing_dance_scores/back_end/functions$ curl -i -X OPTIONS \
-H "Origin: http://127.0.0.1:3000" \
-H 'Access-Control-Request-Method: POST' \
-H 'Access-Control-Request-Headers: Content-Type, Authorization' \
-d '{ "email": "new_user.9.14.1@email.com", "password": "password.9.14.1"}' \
"https://us-central1-swing-dance-scores.cloudfunctions.net/api/login"
> > > > > HTTP/2 200
allow: POST
content-type: text/html; charset=utf-8
etag: W/"4-Yf+Bwwqjx254r+pisuO9HfpJ6FQ"
function-execution-id: mfvlr9jb9p3z
x-powered-by: Express
x-cloud-trace-context: 1ebf0ef3d9ba570dc7a7a44b9c452a76
date: Mon, 07 Oct 2019 14:32:18 GMT
server: Google Frontend
content-length: 4
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
POSTpnguyen@pnguyenmachine:~/code/swing_dance_scores/back_end/functions$
We're not getting the response described that should include:
Access-Control-Allow-Origin: http://127.0.0.1:3000
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Content-Type, Authorization
We can write a test for this once we figure this out.
Here's the desired CURL response:
pnguyen@pnguyenmachine:~/code/swing_dance_scores/back_end/functions$ curl -i -X OPTIONS -H "Origin: http://127.0.0.1:3000" -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: Content-Type, Authorization' "https://us-central1-swing-dance-scores.cloudfunctions.net/api/login"
HTTP/2 204
access-control-allow-headers: Content-Type, Authorization
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-origin: *
function-execution-id: sptvv2z0i515
vary: Access-Control-Request-Headers
x-powered-by: Express
x-cloud-trace-context: e736694a2274bba8b4a3179e07368d35
date: Tue, 08 Oct 2019 01:23:26 GMT
content-type: text/html
server: Google Frontend
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
pnguyen@pnguyenmachine:~/code/swing_dance_scores/back_end/functions$
https://www.youtube.com/watch?v=sX3KeP7v7Kg
Let's have it track the current user's login and access token for now.
We know that this might cause some security concerns, but we'll address that using httpOnly cookies as described here https://www.reddit.com/r/webdev/comments/acgll5/need_advice_on_authentication_using_localstorage/ed8dovv/
Some TODOs: