fix(cors): enable credentials, enumerate origins for PouchDB sessions

PouchDB-style apps call fetch with credentials: 'include' to maintain
the CouchDB _session cookie. Without Access-Control-Allow-Credentials:
true in the preflight response, the browser silently blocks the
mutating request (Firefox HAR shows status 0, _securityState insecure).
Switching cors/credentials to true forces enumerating allowed origins
(wildcard + credentials is forbidden by the CORS spec). Listed are the
common Vite/Next/etc. local dev ports plus the vaquant.at frontend.
This commit is contained in:
Julien Calixte
2026-06-01 21:55:13 +02:00
parent 0ac46ecadb
commit 67787bdf31
2 changed files with 12 additions and 3 deletions

View File

@@ -30,7 +30,16 @@ If the init logs show CORS errors, you can re-trigger only that step by redeploy
## CORS
Wildcard origin (`*`) with `credentials = false` — the only browser-spec-legal combination with a wildcard. For credentialed auth from the browser, edit the `put_config cors origins`/`credentials` lines in `docker-compose.yml`.
`credentials = true` with an explicit origin list — required for PouchDB-style cookie sessions (`POST /_session`). Wildcard origin is incompatible with credentials per the CORS spec, so allowed origins must be enumerated.
Update the `put_config cors origins` line in `docker-compose.yml` (comma-separated, no spaces) and redeploy when you add a new frontend. Or apply live:
```
curl -fsS -X PUT -u admin:$PASS \
-H "Content-Type: application/json" \
https://couch.apoena.dev/_node/_local/_config/cors/origins \
-d '"http://localhost:8080,https://new-frontend.example.com"'
```
## Hardcoded values (cloning to another Coolify resource)

View File

@@ -60,8 +60,8 @@ services:
echo "cfg $$1/$$2 = $$3"
}
put_config chttpd enable_cors true
put_config cors origins '*'
put_config cors credentials false
put_config cors origins 'http://localhost:8080,http://localhost:5173,http://localhost:3000,http://localhost:4173,https://vaquant.at'
put_config cors credentials true
put_config cors methods 'GET, PUT, POST, HEAD, DELETE'
put_config cors headers 'accept, authorization, content-type, origin, referer, x-csrf-token'