-
Notifications
You must be signed in to change notification settings - Fork 968
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dbAuth: No more process.env.RWJS_API_DBAUTH_URL #7032
Conversation
packages/auth-providers/dbAuth/setup/src/templates/web/auth.webAuthn.ts.template
Show resolved
Hide resolved
Could you expand on Vite not liking env vars? env vars seem very necessary for auth to me, and nearly all the other auth providers use them during initialization |
We should avoid using All the auth providers, on the web side instantiate a client with envars in the user's codebase, then pass it to the framework - process.env is never used in the provider or framework code (on the web side). But in dbAuth we directly configure it from values in the Redwood.toml - this is inconsistent, and also the cause of incompatibility between webpack and vite. |
@Tobbe changes look good to me... but just wondering where we pass in the CORS config for dbAuth? It might make sense that its configured the same way. https://redwoodjs.com/docs/cors#graphql-xhr-credentials |
Found a note on why:
|
Thanks @dac09. Dom and I talked yesterday and I explained the Vite env vars stuff. But good to also have it "on paper". And about CORS, it's still configured the same way as it was before. You pass a config object to dbAuth when you set it up. I reused that same config object for the custom api url. Just added another option to it. So nothing has (or need to) change regarding CORS |
Thanks @Tobbe! We should think about moving the CORs config too perhaps (not in this PR obviously) - because to me with the new auth "thing" we have in in src/web/auth it feels like the most obvious place to configure your client! |
Using
process.env
is troublesome for Vite.Also, overriding default values by passing them as config to the auth client brings dbAuth more inline with the other auth providers.
This PR also adds tests for webAuthn, that we were lacking. And fixes a bug where the cookie matching was too lax.