Skip to content

allow frontend to read x-lago-token header #3921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 7, 2025
Merged

allow frontend to read x-lago-token header #3921

merged 1 commit into from
Jul 7, 2025

Conversation

mariohd
Copy link
Contributor

@mariohd mariohd commented Jul 4, 2025
edited
Loading

Necessary for ISSUE-978

To make the response header available on front, we need to expose him on CORS configuration.

lago-api/config/initializers/cors.rb

Lines 5 to 28 in 51d309a

Rails.application.config.middleware.insert_before(0, Rack::Cors) do
allow do
if ENV.key?("LAGO_FRONT_URL")
uri = URI(ENV["LAGO_FRONT_URL"])
frontend_origin = if uri.port.in?([80, 443])
uri.host
else
[uri.host, uri.port].join(":")
end
origins frontend_origin
elsif ENV.key?("LAGO_DOMAIN")
origins ENV["LAGO_DOMAIN"]
elsif Rails.env.development?
origins "app.lago.dev", "api", "lago.ngrok.dev"
end
resource "*",
headers: :any,
methods: %i[get post put patch delete options head],
expose: ['x-lago-token']
end
end

This should not expose the header to any other page besides the ones listed on origins calls.

ENV["LAGO_FRONT_URL"],
ENV["LAGO_DOMAIN"],
"app.lago.dev",
"api",
"lago.ngrok.dev"

@mariohd mariohd force-pushed the fix/allow-x-lago-token branch from 51d309a to 0c441f1 Compare July 4, 2025 18:05
julienbourdeau
julienbourdeau approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@julienbourdeau julienbourdeau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL

@mariohd mariohd merged commit 0a51599 into main Jul 7, 2025
14 checks passed
@mariohd mariohd deleted the fix/allow-x-lago-token branch July 7, 2025 13:26
diegocharles pushed a commit that referenced this pull request Jul 11, 2025
@mariohd @diegocharles
allow frontend to read x-lago-token header (#3921)
8b15428 
Necessary for
[ISSUE-978](https://linear.app/getlago/issue/ISSUE-978/use-renewed-token-on-new-calls)

To make the response header available on front, we need to expose him on
CORS configuration.


https://github.com/getlago/lago-api/blob/51d309a81861aa93fba9288ce97aa43ea8105c0d/config/initializers/cors.rb#L5-L28

This should not expose the header to any other page besides the ones
listed on `origins` calls.

```
ENV["LAGO_FRONT_URL"],
ENV["LAGO_DOMAIN"],
"app.lago.dev",
"api",
"lago.ngrok.dev"
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rsempe rsempe rsempe approved these changes

@julienbourdeau julienbourdeau julienbourdeau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mariohd @rsempe @julienbourdeau