Strategies for CORS/auth with preview deploys + custom domains

I’m evaluating whether my company could move our node server + static SPA client to Render and I’m running into problems with CORS headers and also authentication on preview apps.

The server is configured to allow requests from its own domain and served from api.example.com and the client uses cookies (set for example.com) served at client.example.com. We’d like to move the client first, however, preview deployments go to example-pr-2.onrender.com and the server can’t allow requests from *.onrender.com because then any app hosted on Render could connect.

I tried creating a CNAME record like *.render.example.com and that works fine when I manually set the domain for a preview deployment to something like branch.render.example.com, but I need something automatic for my team. My questions are:

  1. Is there an automatic way to set custom domains like pr-2.render.example.com so that I don’t have to manually do so? Or is there a webhook or anything to trigger a script to automatically do so?
  2. I’ve seen the limit of 25 free custom domains. We will probably never create 25 apps at the same time, but is it counted as concurrent custom domains or lifetime? I can’t tell if it will incur a charge.
  3. Anyone have any alternative solutions for how their preview apps connect to their production domains given CORS headers and domain-based authentication?

Thanks!

Hey there.

So we don’t have a platform level way to implement this but we do have an API which can accomplish this.

I have a gist at https://gist.github.com/johnbeynon/8accbb18c4791c0ef4449161af34dc94 it’s in Ruby but should be easily translated to whatever you’re using. You’d include this in the buildCommand which the required env vars and it would set the custom domain on your preview environment as it’s deployed.

As for custom domains, it would be 25 active domains.

I think once you’ve got the custom domains working for your PR envs then you should be able to allow those domain patterns in your CORS headers?

Regards,

John B

1 Like

Thanks for the tips. I ended up with a shell script that seems to do the trick. And if it’s 25 active domains then that should be no problem. Appreciate the quick answers!

For posterity or any further suggestions, my script is like:

if [ "$IS_PULL_REQUEST" = true ]; then
    if [ -z "$RENDER_API_TOKEN" ]; then
        echo "Must set RENDER_API_TOKEN environment variable!"
        exit 1
    fi
    if [ -z "$DOMAIN_SUFFIX" ]; then
        echo "Must set DOMAIN_SUFFIX environment variable!"
        exit 1
    fi
    domain="$RENDER_GIT_BRANCH.$DOMAIN_SUFFIX"
    echo "Setting service $RENDER_SERVICE_ID domain to $domain"
    curl  \
        --url https://api.render.com/v1/services/$RENDER_SERVICE_ID/custom-domains \
        --header "Accept: application/json" \
        --header "Authorization: Bearer $RENDER_API_TOKEN" \
        --header "Content-Type: application/json" \
        --data '{"name":"'"$domain"'"}'
else
    echo "Not a pull request. No custom domain needed."
fi