zzstoatzz.io / leaflet-search
search for standard sites pub-search.waow.tech
search zig blog atproto
11
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(oauth): CORS headers on /oauth/logout response

handleLogout bypassed sendJson (because it needs Set-Cookie to clear the
session cookie) and so returned only content-type. the browser then
blocked the response because credentialed cross-origin responses
require an explicit Access-Control-Allow-Origin (not '*'). the server
still cleared the session server-side, so on refresh the user appeared
"logged out" even though JS saw a NetworkError.

Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>

zzstoatzz 90d9688a e544fc39

+9 -4
+9 -4
backend/src/oauth.zig
··· 22 22 const store = @import("state.zig"); 23 23 const logfire = @import("logfire"); 24 24 25 - // `transition:chat.bsky` grants access to chat.bsky.* xrpc endpoints 26 - // (proxied through the user's PDS to did:web:api.bsky.chat). needed so 27 - // subscribers can receive DM deliveries on their own behalf. 28 - pub const SCOPE = "atproto repo:tech.waow.pub-search.subscription transition:chat.bsky"; 25 + // only the scope needed to write the pub-search subscription record to 26 + // the user's PDS. DM delivery is done by the @pub-search.waow.tech bot 27 + // with its own app-password session — no chat scope needed on the user. 28 + pub const SCOPE = "atproto repo:tech.waow.pub-search.subscription"; 29 29 30 30 pub const Config = struct { 31 31 io: Io, ··· 881 881 break; 882 882 } 883 883 } 884 + // the only endpoint that both clears the cookie AND needs CORS creds 885 + // headers — can't use sendJson because we also need Set-Cookie 884 886 try request.respond("{\"ok\":true}", .{ 885 887 .status = .ok, 886 888 .extra_headers = &.{ 887 889 .{ .name = "content-type", .value = "application/json" }, 888 890 .{ .name = "set-cookie", .value = "pubsearch_session=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0" }, 891 + .{ .name = "access-control-allow-origin", .value = cfg.frontend_origin }, 892 + .{ .name = "access-control-allow-credentials", .value = "true" }, 893 + .{ .name = "vary", .value = "origin" }, 889 894 }, 890 895 }); 891 896 }