I originally wrote an REST API to work with a previously written mobile app. The mobile programmer requested from me to generate an
auth_token on login that he will pass as a header on each request that needed authentication. This API runs at
Later on, I was commissioned to write an AngularJS app that communicates with this API, so I had to use
Access-Control-Allow headers on the backend for OPTIONS requests to be CORS compatible CORS so my browser allows the connection (looks like iOS does not look for this headers). This app runs at
Now, I have to write a second AngularJS app that will run at
two.example.com and there's a third being planned for the near future at
My problem is that my
Access-Control-Allow-Origin header looks like this:
* is not allowed, nor I'm able to set this header to more than one origin. So as far as I can see I have two solutions:
token-basedauthentication in parallel to the current
cookie-basedone. I'm thinking on this. This will of course take some time I'm willing to save.
Send the requester a header or param to the API endpoint identifying the app on the OPTIONS request and server-side, produce the CORS headers accordingly. I don't even know if it's possible and this looks nasty for even thinking it.
Any better ideas?