From 67787bdf31c74899d7790742f39844c9129da72e Mon Sep 17 00:00:00 2001 From: Julien Calixte Date: Mon, 1 Jun 2026 21:55:13 +0200 Subject: [PATCH] fix(cors): enable credentials, enumerate origins for PouchDB sessions PouchDB-style apps call fetch with credentials: 'include' to maintain the CouchDB _session cookie. Without Access-Control-Allow-Credentials: true in the preflight response, the browser silently blocks the mutating request (Firefox HAR shows status 0, _securityState insecure). Switching cors/credentials to true forces enumerating allowed origins (wildcard + credentials is forbidden by the CORS spec). Listed are the common Vite/Next/etc. local dev ports plus the vaquant.at frontend. --- README.md | 11 ++++++++++- docker-compose.yml | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9b4edfa..0961e62 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,16 @@ If the init logs show CORS errors, you can re-trigger only that step by redeploy ## CORS -Wildcard origin (`*`) with `credentials = false` — the only browser-spec-legal combination with a wildcard. For credentialed auth from the browser, edit the `put_config cors origins`/`credentials` lines in `docker-compose.yml`. +`credentials = true` with an explicit origin list — required for PouchDB-style cookie sessions (`POST /_session`). Wildcard origin is incompatible with credentials per the CORS spec, so allowed origins must be enumerated. + +Update the `put_config cors origins` line in `docker-compose.yml` (comma-separated, no spaces) and redeploy when you add a new frontend. Or apply live: + +``` +curl -fsS -X PUT -u admin:$PASS \ + -H "Content-Type: application/json" \ + https://couch.apoena.dev/_node/_local/_config/cors/origins \ + -d '"http://localhost:8080,https://new-frontend.example.com"' +``` ## Hardcoded values (cloning to another Coolify resource) diff --git a/docker-compose.yml b/docker-compose.yml index 82c8f5d..e0af07f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -60,8 +60,8 @@ services: echo "cfg $$1/$$2 = $$3" } put_config chttpd enable_cors true - put_config cors origins '*' - put_config cors credentials false + put_config cors origins 'http://localhost:8080,http://localhost:5173,http://localhost:3000,http://localhost:4173,https://vaquant.at' + put_config cors credentials true put_config cors methods 'GET, PUT, POST, HEAD, DELETE' put_config cors headers 'accept, authorization, content-type, origin, referer, x-csrf-token'