Is it feasible to set access-control-allow-origin header set to * for indieauth/auth and indieauth/token?
I’m working on an SPA web app and it’s not possible to handle the IndieAuth workflow entirely client side because the auth code can’t be exchanged for a token due to CORS restrictions on the token endpoint.
I noticed that the account/verify endpoint does have all origins enabled via the allow origin header so tokens can be verified if generated by the user.
/indieauth/auth
/account/verify
Understanding that there may be a security reason for this difference, would this be a use case better served by the email workflow?
@manton — thanks for enabling this. I am able to get it working in development on localhost and on the main Netlify domain for what I am working on, but for some reason the branch previews for Netlify deploys are getting a 500 error posting to the indieauth/token endpoint.
For example, the same code deployed to https://{app}.netlify.app works fine, but at https://deploy-preview-1--{app}.netlify.app the IndieAuth token endpoint returns a 500 error.
Are there any logs I can check for more info or details you can see on your end that would indicate if there error is on mine side?