Fix CORS when using credentials headers

src/plugins/adapter-express/index.ts

@@ -22,6 +22,12 @@ export const RxServerAdapterExpress: RxServerAdapter<Express, Request, Response>
             optionsSuccessStatus: 200
         }));
     },
+    enableCredentials(serverApp, origin) {
+        serverApp.use(expressCors({
+            origin: origin,
+            credentials: true
+        }));
+    },
 
     getRequestBody(req: Request) {
         return req.body;
@@ -71,6 +77,7 @@ export const RxServerAdapterExpress: RxServerAdapter<Express, Request, Response>
             'Content-Type': 'text/event-stream; charset=utf-8',
             'Connection': 'keep-alive',
             'Cache-Control': 'no-cache',
+            'access-control-allow-credentials': 'true',
             /**
              * Required for nginx
              * @link https://stackoverflow.com/q/61029079/3443137

src/plugins/replication-server/index.ts

@@ -95,6 +95,7 @@ export function replicateServer<RxDocType>(
                 const url = options.url + `/pull?lwt=${lwt}&id=${id}&limit=${batchSize}`;
                 const response = await fetch(url, {
                     method: 'GET',
+                    credentials: 'include',
                     headers: Object.assign({
                         'Accept': 'application/json',
                         'Content-Type': 'application/json'
@@ -118,6 +119,7 @@ export function replicateServer<RxDocType>(
             async handler(changeRows) {
                 const response = await fetch(options.url + '/push', {
                     method: 'POST',
+                    credentials: 'include',
                     headers: Object.assign({
                         'Accept': 'application/json',
                         'Content-Type': 'application/json'

src/plugins/server/endpoint-replication.ts

@@ -55,7 +55,7 @@ export class RxServerReplicationEndpoint<ServerAppType, AuthType, RxDocType> imp
     ) {
         const adapter = this.server.adapter;
 
-        setCors(this.server, [this.name].join('/'), cors);
+        setCors(this.server, [this.name].join('/'), cors, this.server.options.useCredentials);
         blockPreviousReplicationVersionPaths(this.server, [this.name].join('/'), collection.schema.version);
 
         this.urlPath = [this.name, collection.schema.version].join('/');

src/plugins/server/endpoint-rest.ts

@@ -57,7 +57,7 @@ export class RxServerRestEndpoint<ServerAppType, AuthType, RxDocType> implements
         public readonly cors?: string
     ) {
         const adapter = server.adapter;
-        setCors(this.server, [this.name].join('/'), cors);
+        setCors(this.server, [this.name].join('/'), cors, this.server.options.useCredentials);
         blockPreviousReplicationVersionPathsRest(this.server, [this.name].join('/'), collection.schema.version);
 
         this.urlPath = [this.name, collection.schema.version].join('/');

src/plugins/server/helper.ts

@@ -19,14 +19,17 @@ import {
 export function setCors(
     server: RxServer<any, any>,
     path: string,
-    cors?: string
+    cors?: string,
+    enableCredentials?: boolean
 ) {
     let useCors = cors;
     if (!useCors) {
         useCors = server.cors;
     }
     if (useCors) {
-        server.adapter.setCors(server.serverApp, path, useCors);
+        enableCredentials && useCors != '*' ? // if cors is '*' we cannot enable credentials
+        server.adapter.enableCredentials(server.serverApp, useCors) : 
+            server.adapter.setCors(server.serverApp, path, useCors);
     }
 }
 

src/plugins/server/index.ts

@@ -25,7 +25,8 @@ export async function createRxServer<ServerAdapterType, AuthType>(
         options,
         authHandler,
         ensureNotFalsy(options.serverApp),
-        options.cors
+        options.cors,
+        options.useCredentials
     );
 
     return server;

src/plugins/server/rx-server.ts

@@ -26,7 +26,8 @@ export class RxServer<ServerAppType, AuthType> {
         public readonly options: RxServerOptions<ServerAppType, AuthType>,
         public readonly authHandler: RxServerAuthHandler<AuthType>,
         public readonly serverApp: ServerAppType,
-        public readonly cors: string = '*'
+        public readonly cors: string = '*',
+        public readonly useCredentials: boolean = false
     ) {
         this.database = options.database;
         this.adapter = options.adapter;

src/plugins/server/types.ts

@@ -24,6 +24,7 @@ export type RxServerOptions<ServerAppType, AuthType> = {
      * [default='*']
      */
     cors?: '*' | string;
+    useCredentials?: boolean;
 };
 
 
@@ -37,6 +38,7 @@ export type RxServerAdapter<ServerAppType, RequestType = any, ResponseType = any
     all(app: ServerAppType, path: string, handler: RxServerRouteHandler<RequestType, ResponseType>): void;
 
     setCors(app: ServerAppType, path: string, cors: string): MaybePromise<void>;
+    enableCredentials(app: ServerAppType, origin:string): MaybePromise<void>;
 
     getRequestBody(req: RequestType): any;
     getRequestHeaders(req: RequestType): { [k: string]: string };