@uppy/companion: include origin in dynamic customer credentials

[Murderlon]

Initial checklist

• I understand this is a feature request and questions should be posted in the Community Forum
• I searched issues and couldn’t find anything (or linked relevant results below)

Problem

People who self-host Companion can set the corsOrigins option to only allow trusted origins. However, when going through the OAuth process we use window.opener.postMessage() to send the token to another tab but this also makes it accessible in all tabs (and any client from any origin).

When customers use Transloadit hosted Companion, CORS is set to allow all origins. But when people use their own credentials (fetched by Companion from their account) we should still allow them to configure strict origins.

Solution

The solution requires multiple steps.

• Remove the recently added @uppy/companion: add oauthOrigin option #5297. We don't need a separate option for this.
• Use the corsOrigins option on window.opener.postMessage() as well. This may involve changing the option to only allow a string instead of also a regular expression.
  • In the case of self-hosting Companion, you want these to be the same.
  • When using Transloadit hosted Companion, we want to allow all origins ('*'). Except for when customers use dynamic credentials, then we should pass their defined origin to postMessage (but keep CORS '*')
• Add origin to the database and API response.
• Add a new "allowed origins" field on the Transloadit website under "Third-party Credentials" -> "New Credential" -> "Companion OAuth".

Alternatives

n/a