wasp-lang / wasp

The fastest way to develop full-stack web apps with React & Node.js.
https://wasp-lang.dev
MIT License
13.79k stars 1.19k forks source link

Improve our CORS + API story #1303

Open Martinsos opened 1 year ago

Martinsos commented 1 year ago

We had a couple of people so far being confused on how to correctly set up cors to work with their api methods.

The common pitfall seems to be that people are not aware that they also have to set CORS for OPTION, for which you usually then need apiNamespace.

There was also following comment (whole convo):

Btw this doc example is kinda misleading as well, since that header setup does not really work properly image

We should do the following here:

  1. Investigate this a bit better, so it is very clear what is the problem (what are the use cases and how are we not serving them well right now).
  2. Can we do something about it on the Wasp level, by changing how api feature works regarding cors, or adding explicit support for these use cases in Wasp?
  3. How can we improve the docs to cover the problematic use cases, if we can't cover them at the Wasp level.
Martinsos commented 9 months ago

We managed to confuse another user with this! https://github.com/wasp-lang/wasp/issues/1757 . We should fix this!

Martinsos commented 7 months ago

Another confusion: https://discord.com/channels/686873244791210014/1229121387260805230/1229456446106632302 .

Miho puts it well here:

The reason is that: because of the way Express works, the middleware you specify in api gets only applied to the POST method (or whichever method you put in the api). For CORS to work properly, you need the middleware on the OPTIONS method as well!

Martinsos commented 1 month ago

Another connected convo: https://discord.com/channels/686873244791210014/1285239980498620428/1285239980498620428 .

This one is about configuring CORS to allow any domain to access the app, so setting it to *. It is ok for users to do this on their own, but I do wonder if we can make it a bit easier -> better docs, or maybe some primitives that make this simpler for them, so they need to know less about CORS? I think it is worth investigating. Maybe should be a separate GH issue, but putting it here for now.