IndieAuth and CORS

Is it feasible to set access-control-allow-origin header set to * for indieauth/auth and indieauth/token?

I’m working on an SPA web app and it’s not possible to handle the IndieAuth workflow entirely client side because the auth code can’t be exchanged for a token due to CORS restrictions on the token endpoint.

I noticed that the account/verify endpoint does have all origins enabled via the allow origin header so tokens can be verified if generated by the user.

:red_circle: /indieauth/auth

:green_circle: /account/verify

Understanding that there may be a security reason for this difference, would this be a use case better served by the email workflow?

Enabling CORS headers for the auth endpoints seems fine to me. I’ll make that change today. Thanks!

@manton — thanks for enabling this. I am able to get it working in development on localhost and on the main Netlify domain for what I am working on, but for some reason the branch previews for Netlify deploys are getting a 500 error posting to the indieauth/token endpoint.

For example, the same code deployed to https://{app}.netlify.app works fine, but at https://deploy-preview-1--{app}.netlify.app the IndieAuth token endpoint returns a 500 error.

Are there any logs I can check for more info or details you can see on your end that would indicate if there error is on mine side?