Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: same site api call with session cookie #8435

Merged
merged 1 commit into from
Oct 15, 2024
Merged

fix: same site api call with session cookie #8435

merged 1 commit into from
Oct 15, 2024

Conversation

gastonfournier
Copy link
Contributor

@gastonfournier gastonfournier commented Oct 11, 2024
edited
Loading

About the changes

This fixes #8029. How to reproduce the issue is in the ticket.

The issue happens because when a web app is hosted in the same domain as Unleash UI and the web app uses unleash SDK to make requests to Unleash, the browser automatically includes the cookie in the request headers, because:

- The request URL matches the cookie's Path attribute (which it does in this case).
- The request is sent to the same domain (which it is, since both apps are under the same domain).

And this is by design in the HTTP cookie specification: https://datatracker.ietf.org/doc/html/rfc6265

This PR avoids overriding the API user with the session user if there's already an API user in the request. It's an alternative to #8434

Closes #8029

@vercel Vercel
Copy link

vercel bot commented Oct 11, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
unleash-monorepo-frontend ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 11, 2024 3:46pm
1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
unleash-docs ⬜️ Ignored (Inspect) Oct 11, 2024 3:46pm

@github-actions GitHub Actions
Copy link
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

@gastonfournier gastonfournier changed the title fix: cookie in same domain as in Unleash fix: same site api call with session cookie Oct 11, 2024
@gastonfournier gastonfournier mentioned this pull request Oct 11, 2024
Closed
nunogois
nunogois approved these changes Oct 11, 2024
View reviewed changes
Copy link
Member

@nunogois nunogois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me 👍

@gastonfournier gastonfournier merged commit 07469a4 into main Oct 15, 2024
13 checks passed
@gastonfournier gastonfournier deleted the fix/same-domain-api-with-session-cookie-alternative branch October 15, 2024 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nunogois nunogois nunogois approved these changes

@ivarconr ivarconr Awaiting requested review from ivarconr

Assignees

@gastonfournier gastonfournier

Labels
None yet
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unleash-Session Cookie Sent In Headers
2 participants
@gastonfournier @nunogois