Hello, thanks for the additional details, that helps a lot.
First thing is that I don’t think you need xhr.withCredentials
set, because my understanding is this is a cookie-related thing. Your authentication key to mailsac is set as the header mailsac-key
.
However based on the error message, it looks like you are doing requests directly to mailsac from a web browser. All of our JavaScript examples assume it’s a Node.js server, for two reasons. First one is the CORS issue you are seeing. The second reason is security.
For the most part, only browsers care about CORS, to protect users. Servers won’t care. Which means you would be storing the mailsac-key in source control or otherwise plaintext and giving it to the user. I can explain in more detail.
Typically what people do is store the secret mailsac-key
on a backend server, and use a server (Node.js) to proxy these requests to Mailsac. Then on the frontend you can authenticate your users and store a temporary session on their browser cookies or localStorage. This way you protect the mailasc-key
and can limit what a user in the browser can do against mailsac. For example if you only wanted to allow checking email for a specific address for a specific user, you could control that on your backend server. By setting up the app the way you did, any particular user of your app can do anything on mailsac - check any other user’s email, delete all your private forwarding rules, and more.
I may be telling you something you already know! Perhaps your app is running inside your company’s private network/intranet, or accessible via vpn only.
So if all you wanted to do is proxy every request through a backend, it might look something like this in Node.js:
untested proxy example
const express = require('express')
const expressHttpProxy = require('express-http-proxy')
const app = express()
const MAILSAC_KEY = process.env.MAILSAC_KEY // env var you need to set
app.use('/mailsac', expressHttpProxy('mailsac.com', {
proxyReqOptDecorator: function(proxyReqOpts, srcReq) {
// intercept every proxied request, adding auth header
proxyReqOpts.headers['Mailsac-Key'] = MAILSAC_KEY;
return proxyReqOpts;
}
));
Now every request a user makes at this server at /mailsac/*
would be proxied to mailsac.com. For example to get the mail for an address [email protected]
your user make the following request to your server:
GET /mailsac/api/addresses/[email protected]/messages
A final note - there really is no other way to get around these CORS issues in the way you are attempting. Otherwise when you visit any random blog website, nothing would prevent that blog from running JavaScript to go check if you are logged into Facebook.com and your bank, and steal your facebook account and money. Web browsers enforce CORS in an increasingly specific and strict way, so they can protect against these sorts of attacks.