Cors with credentials fix #934
Conversation
* add comment to relevant parts of the code * manually tested fix for properties and actions * add fix to events as well (I forgot), not manually tested, however it should just work the same
|
Guess the ECA thing clashes with GitHub's email privacy... |
I restarted ECA validation and it is fine now 👍 I will take a look at the code and test it soon. |
|
The latest commit causes OAuth tests to time out, will have to look into why. Can probably cancel the current CI run. |
|
I think this should fix it, I think it might make sense to also implement checking for |
There was a problem hiding this comment.
Hi @justus237
How did you test the functionality?
I tried the following. I used https://github.com/justus237/node-wot-cors which fails as is (as expected). Hence I removed package.json and package-lock.json and installed the dependency based on your PR as follows.
npm install https://github.com/eclipse/thingweb.node-wot.git#pull/934/head
Unfortunately I still see the same CORS warnings on the client.
BTW, the delay before I see the CORS issue in the console or the failure alert is still there.
There was a problem hiding this comment.
The code logic is a bit convoluted but given the current structure of the http-server, I still think we can merge this. I would be ok with merging this if the underlying issue is resolved (see @danielpeintner comments above).
|
@relu91 just somehow related to this PR. Does it make sense to collect such "manual" testcases such as https://github.com/justus237/node-wot-cors in the node-wot repo somewhere? What do you and others think? |
for starting, I think it would be sufficient to have unit tests and verify the behavior. It is not like testing it in a real browser but once we got the behavior right it should help us to keep it correct. |
|
@danielpeintner When testing, I installed only the HTTP bindings from my (local) fork, i.e., |
|
@danielpeintner I updated https://github.com/justus237/node-wot-cors with a postinstall hook, so when in a newly cloned version of the repository, running |
|
Thanks @justus237 for your work. Anyhow, running @relu91 can you give it a try with 2 different machines? Thanks! |
|
Yes I'll try tomorrow 👍🏻 |
My testing is done with (link-local) IP addresses and with mDNS domain names. Is your setup on the Internet? Maybe my fix only works in local subnets for some reason. |
|
I was just using local IP addresses a la 192.168.178.46:8082/some-thing Anyhow, let's wait for @relu91 to check also. |
|
I've just tried with an HTTP tunnel to my local host. I didn't follow through with the discussion, is it enough? basically, I used If the setup is still valid I can confirm that I didn't see any issue with CORS. |
Yeah, it shouldn’t.
Just to make sure, if you expose the server without the fix (e.g., with the old package.json) through a tunnel and open the index.html website locally or as file://, the client on the website fails? |
Yup, it fails. With this, I think we can merge this. @danielpeintner are you ok? |
|
We can add unit tests later, just create an issue to keep this in mind. |
Go ahead 👍 |
Fixes #933 by extending the
respondUnallowedMethodfunction and setting CORS headers differently in case there is a security scheme other than NoSec.