More CORS stuff

Dockerfile

@@ -113,8 +113,8 @@ ENV NODE_ENV=production
 # command to launch your server instead of the default api-server below.
 # This is important if you intend to configure GraphQL to use Realtime.
 #
-# CMD [ "./api/dist/server.js" ]
+# CMD [ "node_modules/.bin/rw-server", "api" ]
-CMD [ "node_modules/.bin/rw-server", "api" ]
+CMD [ "./api/dist/server.js" ]
 
 # web serve
 # ---------

api/src/lib/cors.ts

@@ -1,12 +1,15 @@
-import type { FastifyReply } from 'fastify'
+import type { FastifyReply, FastifyRequest } from 'fastify'
 
 import { isProduction } from '@redwoodjs/api/logger'
 
-export const setCorsHeaders = (res: FastifyReply) => {
+export const setCorsHeaders = (req: FastifyRequest, res: FastifyReply) => {
-  res.raw.setHeader(
+  const origins = isProduction
-    'Access-Control-Allow-Origin',
+    ? [process.env.API_ADDRESS_PROD, process.env.ADDRESS_PROD]
-    isProduction ? process.env.ADDRESS_PROD : process.env.ADDRESS_DEV
+    : [process.env.API_ADDRESS_DEV, process.env.ADDRESS_DEV]
-  )
+
+  if (origins.indexOf(req.headers.origin) !== -1)
+    res.raw.setHeader('Access-Control-Allow-Origin', req.headers.origin)
+
   res.raw.setHeader(
     'Access-Control-Allow-Methods',
     'GET, POST, OPTIONS, PATCH, HEAD'

api/src/lib/tus.ts

@@ -26,7 +26,7 @@ export const handleTusUpload = (
   isPublicEndpoint: boolean
 ) => {
   if (isProduction) {
-    if (req.method === 'OPTIONS') handleOptionsRequest(res)
+    if (req.method === 'OPTIONS') handleOptionsRequest(req, res)
     else if (isPublicEndpoint && req.method === 'GET')
       tusHandler.handle(req.raw, res.raw)
     else if (['GET', 'POST', 'HEAD', 'PATCH'].includes(req.method)) {
@@ -40,7 +40,7 @@ export const handleTusUpload = (
       res.raw.end('Method not allowed')
     }
   } else {
-    setCorsHeaders(res)
+    setCorsHeaders(req, res)
     tusHandler.handle(req.raw, res.raw)
   }
 }
@@ -91,8 +91,8 @@ const addUserMetadataToRequest = (req: FastifyRequest, user: User) => {
   ;(req.raw as any).userEmail = user.email
 }
 
-const handleOptionsRequest = (res: FastifyReply) => {
+const handleOptionsRequest = (req: FastifyRequest, res: FastifyReply) => {
-  setCorsHeaders(res)
+  setCorsHeaders(req, res)
   res.raw.statusCode = 204
   res.raw.end()
 }

web/src/App.tsx

@@ -12,7 +12,14 @@ const App = () => (
   <FatalErrorBoundary page={FatalErrorPage}>
     <RedwoodProvider titleTemplate="%PageTitle | %AppTitle">
       <AuthProvider>
-        <RedwoodApolloProvider useAuth={useAuth}>
+        <RedwoodApolloProvider
+          useAuth={useAuth}
+          graphQLClientConfig={{
+            httpLinkConfig: {
+              credentials: 'include',
+            },
+          }}
+        >
           <Routes />
         </RedwoodApolloProvider>
       </AuthProvider>

web/src/auth.ts

@@ -1,5 +1,9 @@
 import { createDbAuthClient, createAuth } from '@redwoodjs/auth-dbauth-web'
 
-const dbAuthClient = createDbAuthClient()
+const dbAuthClient = createDbAuthClient({
+  fetchConfig: {
+    credentials: 'include',
+  },
+})
 
 export const { AuthProvider, useAuth } = createAuth(dbAuthClient)