The handler only performed a pre-emptive check (token expiry before sending), but never reacted to a 401 response from the server. Now after sending, if the response is 401, the handler disposes it, refreshes the token via Reauthenticate(), updates the request header, and retries once. This covers clock skew, server-side invalidation, and any other case where the server rejects a token the client considered valid.
Milky Shots
A place where to look for images
TODO: fill more information here
Configuration
CORS allowed origins
The API uses a CORS policy to control which browser origins may call it.
Allowed origins are configured via the CorsAllowedOrigins key.
appsettings.json (default / development)
{
"CorsAllowedOrigins": [ "http://localhost:5269", "http://localhost:8080" ]
}
Environment variable (Docker / production)
Set the CorsAllowedOrigins environment variable to a semicolon-separated list of
origins. This value replaces the entire array from appsettings.json, so you must
list every origin you want to allow:
CorsAllowedOrigins=http://myserver:8080
# or multiple origins:
CorsAllowedOrigins=http://myserver:8080;https://myserver.example.com
To allow any origin (useful when the server IP is unknown at deploy time):
CorsAllowedOrigins=*
⚠️ Security warning: Setting
CorsAllowedOrigins=*disables CORS origin checking entirely — any website can make authenticated requests to the API from a visitor's browser. Only use this option in fully trusted, self-hosted environments where you control all network access. For any internet-facing deployment always specify explicit origins instead.
This is already set up in docker-compose.yml — override it with your server's
hostname/IP if you are not running on localhost.
Configuring CORS for the MilkStream frontend
MilkStream is the Blazor WASM frontend that talks to the Lactose API. Because the
browser fetches the API directly, the origin of MilkStream as seen by the browser
must be listed in CorsAllowedOrigins on the Lactose service.
The two services are mapped in docker-compose.yml as follows:
| Service | Container port | Host port | Browser URL (default) |
|---|---|---|---|
lactose |
8080 | 5162 | http://yourserver:5162 |
milkstream |
8080 | 8080 | http://yourserver:8080 |
MilkStream's URL (http://yourserver:8080) must be added to Lactose's allowed origins,
and LactoseBaseUrl on MilkStream must point to the URL the browser uses to reach
Lactose (http://yourserver:5162).
Example — running on myserver.local:
# docker-compose.yml (relevant excerpts)
lactose:
environment:
- CorsAllowedOrigins=http://myserver.local:8080 # MilkStream origin seen by the browser
milkstream:
environment:
- LactoseBaseUrl=http://myserver.local:5162/ # Lactose URL seen by the browser
Example — running on localhost (default):
lactose:
environment:
- CorsAllowedOrigins=http://localhost:8080
milkstream:
environment:
- LactoseBaseUrl=http://localhost:5162/
If you expose MilkStream on a non-standard port or via HTTPS, adjust both values
accordingly and list the exact scheme://host:port that appears in the browser's
address bar.