Context:
- SPA
- Hybrid
- Using Cordova and WKWebview
- Not using Locks
- Passwordless login
Our app works fine in the web, but the same code base is getting an auth0 error in iOS (Cordova). To prevent sending a null origin, we use cordova-local-webserver.
During the passwordless login, we have a POST to https://{app}.auth0.com/passwordless/start which generates the following log:
{
"date": "2017-05-10T12:38:16.181Z",
"type": "fco",
"description": "Origin http://localhost:49634 is not allowed.",
"connection_id": "",
"ip": "189.6.84.54",
"user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Mobile/14E304 (4392531984)",
"details": {
"xhr": false,
"method": "OPTIONS",
"origin": "http://localhost:49634",
"allowedOrigins":
"https://manage.auth0.com",
"https://auth0.com/docs",
"https://login.auth0.com",
"https://docs.auth0.com",
"https://manage.auth0.com"
],
"headers": {
"x-forwarded-proto": "https",
"x-forwarded-for": "189.6.84.54, 127.0.0.1",
"host": "remoto.auth0.com",
"content-length": "0",
"origin": "http://localhost:49634",
"access-control-request-method": "POST",
"access-control-request-headers": "auth0-client,content-type",
"accept": "*/*",
"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Mobile/14E304 (4392531984)",
"referer": "http://localhost:49634/www/index.html?cdvToken=0F82EE55-BA72-4E73-B822-53D4F7656018-2355-000003C10FA3DE7F",
"accept-language": "en-us",
"accept-encoding": "gzip, deflate"
},
"host": "https://remoto.auth0.com",
"originalUrl": "/passwordless/start"
},
"log_id": "49560429270835143462029482507958217094351368046241644546"
}
why are the allowed origins:
“allowedOrigins”:
“https://manage.auth0.com”,
“Auth0”,
“https://login.auth0.com”,
“https://docs.auth0.com”,
“https://manage.auth0.com”
],
shouldn’t they be the ones I setup in dashboard?