Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore CORS for 401s #4894

Merged
merged 1 commit into from
Jan 7, 2019
Merged

Restore CORS for 401s #4894

merged 1 commit into from
Jan 7, 2019

Conversation

aldeed
Copy link
Contributor

@aldeed aldeed commented Jan 4, 2019

Impact: minor
Type: bugfix

Issue

When I updated to Apollo Server 2.0, I switched to using their built-in CORS middleware. Unfortunately, I've now discovered that this only adds the CORS header for requests that make it past our auth middleware. This could be OK, but it turns out that Apollo Client behavior changes when the 401 response doesn't allow CORS, and this prevents the starterkit auto-token-refresh logic from working properly.

Solution

Add back explicit CORS middleware, prior to the auth middleware.

Breaking changes

None

Testing

Try a GraphQL request with an expired or invalid token, and examine the headers of the 401 response. Verify that you see Access-Control-Allow-Origin: * header.

@aldeed aldeed requested a review from kieckhafer January 4, 2019 00:34
@aldeed aldeed self-assigned this Jan 4, 2019
@aldeed aldeed added this to the 🏔 Shavano milestone Jan 4, 2019
@aldeed aldeed mentioned this pull request Jan 4, 2019
Merged
kieckhafer
kieckhafer approved these changes Jan 7, 2019
View reviewed changes
Copy link
Member

@kieckhafer kieckhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Good, along with the client updates at reactioncommerce/example-storefront#471

kieckhafer
kieckhafer requested changes Jan 7, 2019
View reviewed changes
Copy link
Member

@kieckhafer kieckhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but there is a test failing.

I don't think it's related, looks like a timeout issue, but I've tried re-running it a couple times and it keeps failing.

@aldeed
Copy link
Contributor Author

aldeed commented Jan 7, 2019

@kieckhafer Yes I've noticed that failure happening more often, but it's not related. I'll dig in to see if we can remove or disable that test, but it doesn't need to block this PR.

@kieckhafer kieckhafer merged commit 4ffebe1 into develop Jan 7, 2019
@kieckhafer kieckhafer deleted the fix-aldeed-cors-for-401s branch January 7, 2019 21:20
@kieckhafer
Copy link
Member

Failing test is a timeout error that has been happening intermittently on various PR's, it's not isolated here, therefore it shouldn't block this PR from being merged.

@spencern spencern mentioned this pull request Jan 18, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kieckhafer kieckhafer kieckhafer approved these changes

Assignees

@aldeed aldeed

Labels
None yet
Projects
None yet
Milestone
🏔 Shavano
Development

Successfully merging this pull request may close these issues.
2 participants
@aldeed @kieckhafer