Code adapter not working without CORS override

[jbrown]

Reproduction repo here https://github.com/jbrown/sst-ion-auth-code-bug

I wasn't able to get the code adapter working without adding credentials: 'include' to the /callback fetch request. But when you do that the browser will error if the allowed origins is set to '*'. So I needed to be able to change the CORS settings which wasn't possible without a change to the Auth component. This change allowed me to do the following:

const auth = new sst.aws.Auth("Auth", {
  authenticator: {
    handler: "./infra/auth.handler",
    url: {
      cors: {
        allowCredentials: true,
        allowHeaders: ["content-type"],
        allowMethods: ["*"],
        allowOrigins: ["http://localhost:3000"]
      }
    },
  },
});

In the reproduction repo you can make a local change to Ion as in PR #493

To test, grab the generated code from the logs to insert into the page and submit.

Please let me know if I'm way off base and missing something. Without this I don't see how the /callback request is going to pass the authorization header, at least it didn't for me.

[thdxr]

sst auth isn't intended to be used via fetch calls - it's meant to be used through redirects

i know this isn't ideal for some experiences but this is the model required by a "standalone auth server"

[thdxr]

going to close for now as we have not released sst.Auth yet

[jbrown]

@thdxr thanks for clarifying