decap-cms: Failed to configure custom identity endpoint via config.yml

I am hosting a hugo site with netlify-cms on a custom hosting including it via a script tag. I would like to make use of the netlify identity service. Therefore a custom endpoint needs to be configured via APIUrl. I got some help via Gitter on this from @tech4him1 and @erquhart, but after that it was suggested to file a bug report.

I configured custom endpoint in the config.yml like this:

backend:
  name: git-gateway
  identity_url: "https://www.my-netlify-site.com/.netlify/identity"
  gateway_url: "https://www.my-netlify-site.com/.netlify/git/github"

This should work according to the implementation (https://github.com/netlify/netlify-cms/blob/master/src/backends/git-gateway/implementation.js) and this should set the APIurl correctly. However, when rendered the endpoint is still going to the custom hosting and not to the endpoint at netlify raising an error: Failed to load settings from /.netlify/identity. @tech4him1 suggested that the APIurl is not correctly set when using the widget.

@biilmann, can you have a look at it?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 30 (14 by maintainers)

Commits related to this issue

Most upvoted comments

Thanks to @tech4him1 for looking into the nitty gritty on this one and a thank you to everyone else invovled!

+4
bcomnes on May 24, 2018

It works! @bcomnes, thanks for suggesting and implementing a fix. Great to see the Netlify CMS also working on a custom hosted site.

+3
mdehollander on May 24, 2018

I’ll put this on my todo for Monday.

+3
bcomnes on May 20, 2018

The fix noted above is deployed. Let me know how that works out for you.

+2
bcomnes on May 23, 2018

I’ll review that. It does sound like X-Use-Cookie not being in the allowed headers list on gotrue may be an issue, considering gotrue-js has an option to set that header. Let me ask around today and see if I can piece together the whole story on this.

+2
bcomnes on May 1, 2018

Digging further:

The standard token request coming from a hosted site is:

fetch('https://upbeat-bohr-1c9a68.netlify.com/.netlify/identity/token', {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded",
    "X-Use-Cookie": "1"
  },
  body: "grant_type=password&username=my%40email&password=mypassword"
});

This is true whether you are logging in from a Netlify-hosted site or your own. It currently breaks on non-Netlify sites, because the X-Use-Cookie header causes CORS to make a “preflight” OPTIONS request. On localhost sites, however, the X-Use-Cookie header is not set, so no OPTIONS request is made. The problem is that the Access-Control headers are not being set on OPTIONS requests, only on regular (POST) requests.

The related code for turning off the cookie when running locally was added in https://github.com/netlify/netlify-identity-widget/pull/74. @Benaiah Do you have any background on why turning off cookies was necessary for CORS requests? Is it related to what I’ve laid out here?

Also, I’m definitely not an expert on CORS, but is there a reason why the Access-Control headers can’t be sent back as part of the pre-flight/OPTIONS requests as well as the POST? This seems like the main issue here. I’m wondering if X-Use-Cookie simply needs added to the allowed headers list in the GoTrue CORS setting: https://github.com/netlify/gotrue/blob/842281982917452274fceaab3a1ec71bba2593e4/api/api.go#L146

+2
tech4him1 on Apr 13, 2018
Read more comments on GitHub
← decap-cms: Entries with complex extensions do not appear in collection view
decap-cms: Failed to load entries: API_ERROR: Not Found →