CORS, Server Events and Required Authentication

We are starting implementation of SSE to enable updating users when content specific to that user is modified. As such, we want to only allow subscription for logged in users. However CORS is causing issues now when using the wildcard * for Access-Control-Allow-Origin.

I realize this is as designed, but I’m unsure of how to make it work so that local development as well as our production angular app can subscribe without locking down API usage to only specific domains (we have 3rd party access to some API endpoints).

Not sure what solution you’re looking for, the allowOriginWhitelist should be a fixed white-list so it only allows access to trusted sources. If dev/production is different you can always pull the white list of domains from a configuration source but I personally just hard code both local + production domains.

Well it’s more than domains. How can we deal with a native ios app that calls the API?

Are you referring to a WebView in iOS? It should be using the domain where the WebView is loaded.