[BUG]: Custom headers introduce CORS issues

[doctorpangloss]

Describe the bug

Lago uses these headers:

apollographql-client-name
apollographql-client-version
x-lago-organization
customer-portal-token

among others - I have not done an exhaustive look through the codebase - which should be documented for properly configuring CORS for proxies.

It is possible that the allowed headers on production Lago is * which is maybe not fine for a billing management solution that interacts with both a proxy and Ruby.

Related to getlago/lago-helm-charts#42

To Reproduce
Visit the dashboard or the customer portal. Observe these headers will cause CORS errors on proxies configured without wildcard accepting.

Expected behavior
Document the headers needed.

Support

• OS: (all)
• Browser: Firefox
• Version: 2.1.2

[jdenquin]

cc @ansmonjol

[ansmonjol]

Hello @doctorpangloss,

Just to be sure, here you ask for the exhaustive list of headers to prevent any CORS issue?

You listed the main ones indeed.

To be complete, here is what I can found when looking at my headers

Accept (value being */*)
Accept-Encoding
Apollographql-Client-Name
Apollographql-Client-Version
Authorization
Content-Type
Customer-Portal-Token
X-Lago-Organization

On our side we only manually handle Authorization, Customer-Portal-Token and X-Lago-Organization
The rest being placed there by Apollo or your browser

Not sure if that answer your question but let us know if it doesn't!

[jdenquin]

@doctorpangloss any updates?