I am attempting to perform a search of my topics using fetch against the API for the dbsearch plugin, but it seems to require the ‘express.sid’ session cookie that is returned in the ‘set-cookie’ header response from other API requests. In order to pass the cookie along with the GET request to https://mynodebbdomain/api/search/?term=test&_uid=1, I am adding the credentials: ‘include’ header to the request. However, this requires both the ‘Access-Control-Allow-Credentials’ header to be ‘true’ and the ‘Access-Control-Allow-Origin’ header to be a single non-wildcard domain. The issue is that I see nowhere to set the ‘Access-Control-Allow-Credentials’ header under Admin > Settings > Advanced, and I need to be able to make this API call from multiple domains. When performed through Postman, the request is able to succeed because it doesn’t have to deal with the CORS issues that the browser does, but it does confirm that the request would work if not for the CORS/CSRF issue.
Is there something that I can do to bypass the CORS/CSRF issues? Or is there a proper way to send the cookie that I have missed? If not, what would be my best path forward to resolve the issue?
