mirror of
https://github.com/wasp-lang/wasp.git
synced 2024-10-05 19:58:31 +03:00
some updates and notes
This commit is contained in:
parent
0762bc9b8b
commit
e4fc67e09c
@ -36,7 +36,10 @@ async function startApp() {
|
||||
serviceWorker.unregister()
|
||||
}
|
||||
|
||||
// TODO: Chat on options. Pretty hacky.
|
||||
// NOTE: Since users will likely have the backend running on a different domain than
|
||||
// the frontend, we are unable to set the token:
|
||||
// (a) on the page load, as the index.html is not served by Node, nor
|
||||
// (b) via a cookie, since the frontend JS will not be able to access a cross-domain cookie.
|
||||
async function setCsrfToken() {
|
||||
const token = await api.get(config.apiUrl + '/csrf-token')
|
||||
|
||||
|
@ -18,6 +18,7 @@ import { useSession } from './session.js'
|
||||
const app = express()
|
||||
|
||||
app.use(helmet())
|
||||
// TODO: review PR that concerns this.
|
||||
app.use(cors({
|
||||
origin: config.frontendUrl,
|
||||
methods: ['POST', 'PUT', 'GET', 'OPTIONS', 'HEAD'],
|
||||
|
@ -15,6 +15,7 @@ router.get('/', function (req, res, next) {
|
||||
{=# isAuthEnabled =}
|
||||
router.use('/auth', auth)
|
||||
|
||||
// TODO: ensure this only can be requested by frontend
|
||||
router.get('/csrf-token', function (req, res) {
|
||||
res.json(req.csrfToken())
|
||||
})
|
||||
|
@ -15,7 +15,6 @@ const sessionConfig = {
|
||||
saveUninitialized: true,
|
||||
cookie: {
|
||||
httpOnly: true,
|
||||
// TODO: Use sameSite?
|
||||
maxAge: config.session.cookie.maxAge,
|
||||
},
|
||||
store: new PrismaSessionStore(prisma, {
|
||||
@ -36,7 +35,9 @@ const csrfConfig = {
|
||||
export function useSession(app) {
|
||||
if (config.env === 'production') {
|
||||
sessionConfig.cookie.secure = true
|
||||
csurfConfig.cookie.secure = true
|
||||
sessionConfig.cookie.sameSite = 'none'
|
||||
csrfConfig.cookie.secure = true
|
||||
csrfConfig.cookie.sameSite = 'none'
|
||||
}
|
||||
|
||||
app.use(session(sessionConfig))
|
||||
|
Loading…
Reference in New Issue
Block a user