Not really a bug - but more of a security issue thing with how our current /api routes are being implemented.
See thread -> rubyforgood#4934
This is what sean said:
In essence, you are creating API for a mobile app to consume.
You should be isolating everything to the API and the routes for that API.
The convention is for your controllers/routes/etc to all be in an /api route. Since this is the first mobile api the convention should be /api/v1/* and then when we deprecate this api and launch a new one, it will be /api/v2/* and so on. In general if we are altering existing controllers/files/concerns for an API that is usually a sign that it may not being built correctly.
Then your cors file should look something like:
resource '/api/v1/*', # adjust this to match your API endpoints
headers: :any,
methods: [methods you are going to use],
expose: %w[Authorization]
Expected Behavior
Define our api routes/controllers so it follows the /api/v1/* convention.
Essentially we want to isolate the api stuff from the rest of the non-api stuff.
Login Details:
Link to QA site
Login Emails:
password for all users: 12345678
Questions? Join Slack!
We highly recommend that you join us in slack https://rubyforgood.herokuapp.com/ #casa channel to ask questions quickly and hear about office hours (currently Tuesday 5-7pm Pacific), stakeholder news, and upcoming new issues.
Not really a bug - but more of a security issue thing with how our current /api routes are being implemented.
See thread -> rubyforgood#4934
This is what sean said:
In essence, you are creating API for a mobile app to consume.
You should be isolating everything to the API and the routes for that API.
The convention is for your controllers/routes/etc to all be in an
/apiroute. Since this is the first mobile api the convention should be/api/v1/*and then when we deprecate this api and launch a new one, it will be/api/v2/*and so on. In general if we are altering existing controllers/files/concerns for an API that is usually a sign that it may not being built correctly.Then your cors file should look something like:
Expected Behavior
Define our api routes/controllers so it follows the
/api/v1/*convention.Essentially we want to isolate the api stuff from the rest of the non-api stuff.
Login Details:
Link to QA site
Login Emails:
/all_casa_admins/sign_inpassword for all users: 12345678
Questions? Join Slack!
We highly recommend that you join us in slack https://rubyforgood.herokuapp.com/ #casa channel to ask questions quickly and hear about office hours (currently Tuesday 5-7pm Pacific), stakeholder news, and upcoming new issues.