Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Abort login flow if CORS error is encountered #41

Open
dchiquito opened this issue Feb 9, 2022 · 3 comments
Open

Abort login flow if CORS error is encountered #41

dchiquito opened this issue Feb 9, 2022 · 3 comments

Comments

@dchiquito
Copy link

If CORS is misconfigured on the server, the authorization flow can still succeed. However, when maybeRestoreLogin is called, it performs an XHR call to get a token from the API server, which fails because of CORS. This error is interpreted as meaning that the user is not authenticated, so the browser is redirected to the start of the OAuth flow again, creating an infinite loop.

It would be nice if the OAuth client could distinguish between a 401 and a CORS error and abort the login flow with an informative error if a CORS error is encountered.

attn @zachmullen
@zachmullen
Copy link
Contributor

It's possible I'm misunderstanding, but I think this might have to be addressed downstream, because the XHRs that trigger the CORS error are not happening inside this library, but in the downstream one.

@zachmullen
Copy link
Contributor

On further digging, I think my last comment was wrong. This code is silently eating CORS errors; we should probably handle that differently.

@brianhelba
Copy link
Contributor

Good point, we should try harder to distinguish different causes of failure in that code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zachmullen @dchiquito @brianhelba