Fix CORS: reflect request headers instead of wildcard · baileytownsend.dev/pds-gatekeeper@e48cb5e

Microservice to bring 2FA to self hosted PDSes

Fix CORS: reflect request headers instead of wildcard

Firefox rejects credentialed cross-origin requests when
Access-Control-Allow-Headers is `*`, because per the Fetch spec
the wildcard is not treated as a wildcard when credentials are
involved. This causes failures on endpoints like getSession
and createSession when accessed from bsky.app.

Switch from `.allow_headers(Any)` to `.allow_headers(AllowHeaders::mirror_request())`
which echoes the browser's Access-Control-Request-Headers back verbatim,
matching the behaviour of the PDS's Express cors middleware.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

authored by

Enrico Graziani

Claude Opus 4.6 and committed by

tangled.org 1 week ago e48cb5ee 04f863e2

+2 -2

1 changed file

expand all

unified split

src

main.rs

+2 -2

src/main.rs

··· 33 33 }; 34 34 use tower_http::{ 35 35 compression::CompressionLayer, 36 - cors::{Any, CorsLayer}, 36 + cors::{AllowHeaders, Any, CorsLayer}, 37 37 }; 38 38 use tracing::log; 39 39 use tracing_subscriber::{EnvFilter, fmt, prelude::*}; ··· 352 352 let cors = CorsLayer::new() 353 353 .allow_origin(Any) 354 354 .allow_methods([Method::GET, Method::OPTIONS, Method::POST]) 355 - .allow_headers(Any); 355 + .allow_headers(AllowHeaders::mirror_request()); 356 356 357 357 let mut app = Router::new() 358 358 .route("/", get(root_handler))