CORS Policy issue

[charbs-io]

Access to fetch at 'https://appname.pockethost.io/api/collections/budgets/records?page=1&perPage=10&sort=created' from origin 'https://app.appname.com' has been blocked by CORS policy: Request header field workspace-id is not allowed by Access-Control-Allow-Headers in preflight response.

Hi, I'm using PocketBase's beforeSend method from the JS SDK to insert a custom header with each request (workspace-id). This is specific to my app needs, and it enables a fairly complex multi tenant (sort of) scenario to happen.

PocketHost doesn't seem to like it though, is there anything I can do at all on the PocketHost side to fix this?

[benallfree]

Since you’re in the code already, take a look at the cors stuff in the ProxyService. Maybe you can send another PR :)

[charbs-io]

@benallfree - all I can think of is adding

res.setHeader('Access-Control-Allow-Headers', '*')

before we return the handler of the middleware.push method.

But I have no idea if this would present any security implications on production environments...

[charbs-io]

Here's what I could come up with...
https://github.com/charbs-io/pockethost/commit/1e538b199186cf391f45f4d50bf5622bc4cae56f

This certainly fixes the issue stated above (tested locally while running the PocketHost stack). But as I mentioned earlier, I have no idea if there are serious security implications from this.

[charbs-io]

@benallfree thoughts on the above?

[benallfree]

@charbs-io I've been thinking about it, and I think it would be okay to use your solution. The PocketHost code is really just a proxy, so I don't see any issue with allowing all headers. pocketbase can always deny downstream. Please submit a PR for me to review and I'll push it out asap :)

[charbs-io]

@benallfree I agree. I had to (temporarily) host my app on Fly.io and my setup had no issues. I've thought about this a bit more too and I think it's fine. Thanks for getting back to me. PR Open. I look forward to moving the hosting to PocketHost once this is done! (My app will also be a good production usecase for pb_hooks on PocketHost - a good way to test it.)

[leninriv]

Was this fixed? It still doesn't work for me

[benallfree]

Can you provide more detail please?

[leninriv]

thanks for answer.
sure.
i clone the repo in my computer, the master branch
i created the .env file
i run the yarn install and yarn dev
the server is runin g but im seeing this error in the console.

i can access to "https://app.pockethost.lvh.me" from my browser. but im not able to login or create an account in my local.

im having this message from my browser.

thanks for your help!

[benallfree]

I see, I didn't realize you were trying to run the whole stack locally.

There is a lot of work being done in the next week or two. My best suggestion is to head over to our Discord server so we can keep in touch about updates and have you try some stuff.

[leninriv]

Cool. Thanks !