I received an error in chrome when trying to use cmi5 content that was not in the same domain as the LMS. The error message in chrome indicates that an Access-Control-Allow-Origin cannot be set to "*" when withCredentials is set to true. Since I do not wish to continually add domains to the Access-Control-Allow-Origin header, I removed that line from the cmi5Controller and I no longer had the error. I don't see this as particularly dangerous as I am only setting the Origin header when a request is made to my cmi5 controllers. I am considering removing it from this libraries source as well unless someone can give me a better idea.
Lacking a "return" on line 285 after auth token is fetched from session storage. The current behavior is read from session, call the successCallback then continue on, make the fetch request, then call either the tokenErrorCallBack incorrectly (since it was read from session anyway) or call successCallback again. Double callback on successCallback leads to fetching the activityState twice.
I believe that the cmi5 spec requires that only one Completed and or Passed statement is sent by the AU.
The AU could use the agent xAPI state resource to store if it has previously sent Completed or Passed statements. I don't believe the AU should attempt to check the existence of the Statements in the LRS because some LMS might prohibit an AU from requesting statements.