-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cors with credentials fix #934
Cors with credentials fix #934
Conversation
* add comment to relevant parts of the code * manually tested fix for properties and actions * add fix to events as well (I forgot), not manually tested, however it should just work the same
Guess the ECA thing clashes with GitHub's email privacy... |
I restarted ECA validation and it is fine now 👍 I will take a look at the code and test it soon. |
The latest commit causes OAuth tests to time out, will have to look into why. Can probably cancel the current CI run. |
I think this should fix it, I think it might make sense to also implement checking for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @justus237
How did you test the functionality?
I tried the following. I used https://github.com/justus237/node-wot-cors which fails as is (as expected). Hence I removed package.json
and package-lock.json
and installed the dependency based on your PR as follows.
npm install https://github.com/eclipse/thingweb.node-wot.git#pull/934/head
Unfortunately I still see the same CORS warnings on the client.
BTW, the delay before I see the CORS issue in the console or the failure alert is still there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code logic is a bit convoluted but given the current structure of the http-server
, I still think we can merge this. I would be ok with merging this if the underlying issue is resolved (see @danielpeintner comments above).
@relu91 just somehow related to this PR. Does it make sense to collect such "manual" testcases such as https://github.com/justus237/node-wot-cors in the node-wot repo somewhere? What do you and others think? |
for starting, I think it would be sufficient to have unit tests and verify the behavior. It is not like testing it in a real browser but once we got the behavior right it should help us to keep it correct. |
@danielpeintner When testing, I installed only the HTTP bindings from my (local) fork, i.e., |
@danielpeintner I updated https://github.com/justus237/node-wot-cors with a postinstall hook, so when in a newly cloned version of the repository, running |
Thanks @justus237 for your work. Anyhow, running @relu91 can you give it a try with 2 different machines? Thanks! |
Yes I'll try tomorrow 👍🏻 |
My testing is done with (link-local) IP addresses and with mDNS domain names. Is your setup on the Internet? Maybe my fix only works in local subnets for some reason. |
I was just using local IP addresses a la 192.168.178.46:8082/some-thing Anyhow, let's wait for @relu91 to check also. |
I've just tried with an HTTP tunnel to my local host. I didn't follow through with the discussion, is it enough? basically, I used If the setup is still valid I can confirm that I didn't see any issue with CORS. |
Yeah, it shouldn’t.
Just to make sure, if you expose the server without the fix (e.g., with the old package.json) through a tunnel and open the index.html website locally or as file://, the client on the website fails? |
Yup, it fails. With this, I think we can merge this. @danielpeintner are you ok? |
We can add unit tests later, just create an issue to keep this in mind. |
Go ahead 👍 |
Fixes #933 by extending the
respondUnallowedMethod
function and setting CORS headers differently in case there is a security scheme other than NoSec.