feat(): enable CORS server-side for passwordless POST requests#20311
feat(): enable CORS server-side for passwordless POST requests#20311
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the FxA auth-server passwordless routes to allow cross-origin POST requests to include credentials (cookies/auth headers) when CORS is configured with explicit allowlisted origins.
Changes:
- Conditionally enables
cors.credentials = truefor passwordless POST routes whenconfig.corsOriginis not wildcard. - Applies the CORS credentials option to
/send_code,/confirm_code, and/resend_code.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ); | ||
|
|
||
| // Enable CORS credentials only when using explicit origins (not wildcard, per CORS spec) | ||
| const enableCredentials = config.corsOrigin && config.corsOrigin[0] !== '*'; |
There was a problem hiding this comment.
enableCredentials is documented as disabling credentials when using a wildcard origin, but the implementation only checks corsOrigin[0] !== '*'. If corsOrigin ever contains '*' in a non-first position (e.g., via env parsing/ordering), credentials could be enabled while still effectively allowing wildcard origins, which violates the CORS credential rules. Consider computing this as “has at least one origin and does not include '*' anywhere” (and optionally guarding against an empty array).
| const enableCredentials = config.corsOrigin && config.corsOrigin[0] !== '*'; | |
| const enableCredentials = | |
| config.corsOrigin && | |
| config.corsOrigin.length > 0 && | |
| !config.corsOrigin.includes('*'); |
| ...PASSWORDLESS_DOCS.PASSWORDLESS_SEND_CODE_POST, | ||
| ...(enableCredentials && { | ||
| cors: { | ||
| credentials: true, | ||
| }, | ||
| }), |
There was a problem hiding this comment.
The new conditional cors: { credentials: true } behavior isn’t covered by tests. Since this changes cross-origin behavior for these endpoints, please add/update unit tests (e.g., in lib/routes/passwordless.spec.ts) to assert that route.options.cors.credentials is enabled when config.corsOrigin is an explicit allowlist and not enabled when it is ['*'].
toufali
changed the title
Because
This pull request
Issue that this pull request solves
Closes: FXA-13329
Other information (Optional)
We "flipped the switch" for CORS client side here: #20293 but neglected to follow suit server-side, as the pattern shows here for account/create endpoint, for example: #20003