Skip to content

Commit ac9d6e1

Browse files
SkySailsSkySails
committed
fix: prevent CORS due to withCredentials 
1 parent 6b01f9d commit ac9d6e1

File tree

3 files changed

+11
-11
lines changed

3 files changed

+11
-11
lines changed

.changeset/tasty-cooks-train.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"@navigraph/auth": minor
3+
---
4+
5+
Fix issue where wrong endpoint would be called with `withCredentials` set to true, causing CORS issues.

packages/auth/src/flows/device-flow.ts

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import {
77
DeviceFlowTokenExpiredError,
88
InvalidClientError,
99
InvalidScopeError,
10-
Scope,
1110
} from "@navigraph/app";
1211
import axios, { AxiosError } from "axios";
1312
import { getIdentityDeviceAuthEndpoint } from "../constants";
@@ -59,10 +58,7 @@ export async function signInWithDeviceFlow(callback: DeviceFlowCallback): Promis
5958
code_challenge,
6059
code_challenge_method: "S256",
6160
}),
62-
{
63-
headers: { "Content-Type": "application/x-www-form-urlencoded" },
64-
withCredentials: app.scopes.includes(Scope.TILES) ? true : undefined,
65-
}
61+
{ headers: { "Content-Type": "application/x-www-form-urlencoded" } }
6662
)
6763
.catch((err: AxiosError<FailedAuthorizationResponse>) => {
6864
const status = err.response?.status;

packages/auth/src/flows/shared.ts

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import { Logger } from "@navigraph/app";
1+
import { Logger, Scope } from "@navigraph/app";
22
import axios from "axios";
33
import { getIdentityTokenEndpoint } from "../constants";
44
import { setUser, tokenStorage } from "../internal";
@@ -7,11 +7,10 @@ import { TokenResponse } from "../types";
77

88
export async function tokenCall(params: Record<string, string>) {
99
return axios
10-
.post<TokenResponse>(
11-
getIdentityTokenEndpoint(),
12-
new URLSearchParams(params),
13-
{ headers: { "Content-Type": "application/x-www-form-urlencoded" }} // prettier-ignore
14-
)
10+
.post<TokenResponse>(getIdentityTokenEndpoint(), new URLSearchParams(params), {
11+
withCredentials: params.scopes?.includes(Scope.TILES) ? true : undefined,
12+
headers: { "Content-Type": "application/x-www-form-urlencoded" },
13+
})
1514
.then(async ({ data }) => {
1615
if (data.access_token && data.refresh_token) {
1716
await tokenStorage.setAccessToken(data.access_token);

0 commit comments

Comments
 (0)