[Enhancement]: Allow cross origin API requests from the web #3063

New Issue

Closed

opened 2026-04-25 00:13:21 +02:00 by adam · 7 comments

adam commented 2026-04-25 00:13:21 +02:00

Owner

Copy Link

Copy Source

Originally created by @elliott-parkinson on GitHub (Oct 30, 2025).

Type of Enhancement

Server Backend

Describe the Feature/Enhancement

I would like to be able to make requests from a web page on another origin to my audible instance. Right now I am limited from doing so because of the following code:

(TokenManager.js)

setRefreshTokenCookie(req, res, refreshToken) { res.cookie('refresh_token', refreshToken, { httpOnly: true, secure: req.secure || req.get('x-forwarded-proto') === 'https', sameSite: 'lax', maxAge: this.RefreshTokenExpiry * 1000, path: '/' }) }

'sameSite' being set to 'lax' prevents me from making these requests. So when I make a request with credentials: "include' I am unable to do so because the cookie wasnt set during my login in the first place. Basically this means I can make native apps but not web apps to interact with the audiobookshelf server.

The specific feature / implementation I would like is a toggle to in the UI settings where I can change this to "none" based upon it. I would suggest this is below the "Allow embedding in an iframe" toggle.

Why would this be helpful?

I am trying to build an alternative web frontend for audiobookshelf as I have some personal UI preferences and would also like to help a friend of mine who is having issues on iOS.

Future Implementation (Screenshot)

The specific feature / implementation I would like is a toggle to in the UI settings where I can change the sameSite cookie setting to "none" based upon it. I would suggest this is below the "Allow embedding in an iframe" toggle.

Alternatively - maybe if we are doing CORS from one of the allowed origins we can just have it set to none instead of lax? Though I think a setting in preferences may be more desirable as it requires intent.

Audiobookshelf Server Version

v2.30.0

Current Implementation (Screenshot)

No response

Originally created by @elliott-parkinson on GitHub (Oct 30, 2025). ### Type of Enhancement Server Backend ### Describe the Feature/Enhancement I would like to be able to make requests from a web page on another origin to my audible instance. Right now I am limited from doing so because of the following code: _(TokenManager.js)_ ` setRefreshTokenCookie(req, res, refreshToken) { res.cookie('refresh_token', refreshToken, { httpOnly: true, secure: req.secure || req.get('x-forwarded-proto') === 'https', sameSite: 'lax', maxAge: this.RefreshTokenExpiry * 1000, path: '/' }) }` 'sameSite' being set to 'lax' prevents me from making these requests. So when I make a request with credentials: "include' I am unable to do so because the cookie wasnt set during my login in the first place. Basically this means I can make native apps but not web apps to interact with the audiobookshelf server. The specific feature / implementation I would like is a toggle to in the UI settings where I can change this to "none" based upon it. I would suggest this is below the "Allow embedding in an iframe" toggle. ### Why would this be helpful? I am trying to build an alternative web frontend for audiobookshelf as I have some personal UI preferences and would also like to help a friend of mine who is having issues on iOS. ### Future Implementation (Screenshot) The specific feature / implementation I would like is a toggle to in the UI settings where I can change the sameSite cookie setting to "none" based upon it. I would suggest this is below the "Allow embedding in an iframe" toggle. Alternatively - maybe if we are doing CORS from one of the allowed origins we can just have it set to none instead of lax? Though I think a setting in preferences may be more desirable as it requires intent. ### Audiobookshelf Server Version v2.30.0 ### Current Implementation (Screenshot) _No response_

adam added the enhancement label 2026-04-25 00:13:21 +02:00

adam closed this issue 2026-04-25 00:13:21 +02:00

adam commented 2026-04-25 00:13:21 +02:00

Author

Owner

Copy Link

Copy Source

@sir-wilhelm commented on GitHub (Oct 30, 2025):

If you are on 2.30 you should be able to allow that in the config: /audiobookshelf/config

@sir-wilhelm commented on GitHub (Oct 30, 2025): If you are on 2.30 you should be able to allow that in the config: `/audiobookshelf/config` <img width="1100" height="797" alt="Image" src="https://github.com/user-attachments/assets/48aac537-0128-4770-89a1-41a69bd23028" />

adam commented 2026-04-25 00:13:21 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Oct 30, 2025):

@sir-wilhelm That's just the CORS origin.

Apart from that, the request OP wants to make is very risky and should not be implemented imho.

It would cause serious security issues. There are good reasons for this.

If you want to build a custom client (or interact with ABS in general), you can set the CORS Origins and use the API.

@Vito0912 commented on GitHub (Oct 30, 2025): @sir-wilhelm That's just the CORS origin. Apart from that, the request OP wants to make is very risky and should not be implemented imho. It would cause serious security issues. There are good reasons for this. If you want to build a custom client (or interact with ABS in general), you can set the CORS Origins and use the API.

adam commented 2026-04-25 00:13:21 +02:00

Author

Owner

Copy Link

Copy Source

@elliott-parkinson commented on GitHub (Oct 30, 2025):

Setting CORS origin and using the API is not a viable option in this case because I am on a different domain I do not get the cookies being set. This means that whilst I get an authorized response and I get my user object etc - I have no refresh token. This means that my only current option is to store the username and password client side and continuously re-login - which I would consider to be extremely unsafe.

Would a safer alternative perhaps be to send the refresh token in cookies and the response?

@elliott-parkinson commented on GitHub (Oct 30, 2025): Setting CORS origin and using the API is not a viable option in this case because I am on a different domain I do not get the cookies being set. This means that whilst I get an authorized response and I get my user object etc - I have no refresh token. This means that my only current option is to store the username and password client side and continuously re-login - which I would consider to be extremely unsafe. Would a safer alternative perhaps be to send the refresh token in cookies and the response?

adam commented 2026-04-25 00:13:21 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Oct 30, 2025):

It's not less secure. If done correctly, it could even be more secure. I'm not saying this is a good idea at all.

But aside from that, you can already retrieve the refresh token if you include x-return-tokens as a request header.

@Vito0912 commented on GitHub (Oct 30, 2025): It's not less secure. If done correctly, it could even be more secure. I'm not saying this is a good idea at all. But aside from that, you can already retrieve the refresh token if you include `x-return-tokens` as a request header.

adam commented 2026-04-25 00:13:21 +02:00

Author

Owner

Copy Link

Copy Source

@elliott-parkinson commented on GitHub (Oct 30, 2025):

Ah! I was not aware of / had not come accross the x-return-tokens yet. This has in fact fully resolved my issue and is the correct solution imo.

Thank you.

@elliott-parkinson commented on GitHub (Oct 30, 2025): Ah! I was not aware of / had not come accross the x-return-tokens yet. This has in fact fully resolved my issue and is the correct solution imo. Thank you.

adam commented 2026-04-25 00:13:21 +02:00

Author

Owner

Copy Link

Copy Source

@Vito0912 commented on GitHub (Oct 30, 2025):

Nice, if not needed, can you close this issue then?

Thanks! Also if you are open to it, might you want to share your client? I keep a collection of pretty much every client

@Vito0912 commented on GitHub (Oct 30, 2025): Nice, if not needed, can you close this issue then? Thanks! Also if you are open to it, might you want to share your client? I keep a collection of pretty much every client

adam commented 2026-04-25 00:13:22 +02:00

Author

Owner

Copy Link

Copy Source

@elliott-parkinson commented on GitHub (Oct 30, 2025):

I will happily share my client when complete - I intend on making it publicly available.

I will send it to your contact email on your portfolio website!

Thanks again.

@elliott-parkinson commented on GitHub (Oct 30, 2025): I will happily share my client when complete - I intend on making it publicly available. I will send it to your contact email on your portfolio website! Thanks again.

adam referenced this issue 2026-04-25 00:17:19 +02:00

[PR #3063] [MERGED] Update i18n workflow to `1.3.0` #3854

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.35.1

v2.35.0

v2.34.0

v2.33.2

v2.33.1

v2.33.0

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.0

v1.4.1

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels

authentication

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

pull-request

Mirrored from GitHub Pull Request

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam (Adam Melkus)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/audiobookshelf#3063