I am using this project as a backend to develop an Enyo MVC application. There are two ways to do this:

1. Develop the application within the /www directory of this project
2. Run a separate server dedicated to the app, and connect to this server

Option 2 is cleaner, keeping the code bases apart, but presents an issue: Cross Domain security. Browsers and servers, generally, by default, refuse POSTs between two domain addresses. Both the name and port need to match for a POST to work. For my development I'm running the REST server on http://localhost:3000 and my application server on http://localhost:8888, so different domains.

GETs will still work, but POSTs with credentials will fail, which means the whole Client Session cookie authorization scheme fails.

To fix this I had to make changes on the server and client. For the server I added the se7ensky-restify-preflight module. This is a request pre-flight handler that supports cookie authorization from any domain (Access-Control-Allow-Origin set to *). If you needed to do something like this in production you might setup a domain filter so only approved domains get through.

That leaves the client side. When you try to run the client application off of another server, the Login functionality appears to work, but the Client session clookie is not persisted, so all following auth calls fail. The client needs to allow the cookie as well. For this you need to tell the client to send credentialed requests by setting the xhr field in the Header to pass credentials. For AJAX, it looks like this:

$.ajax({type: "POST", url: "http://localhost:3000/api/v1/session/login",
xhrFields: {
withCredentials: true
},
data: $('#inputForm').serialize(), success: function(data, textStatus, xhr) {}, error:function(err) {},
});

Set up API test site

Return Home