Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Authorization header doesn't get (automatically) sent by server fetch #880

Closed
cyderize opened this issue Sep 9, 2019 · 1 comment · Fixed by #882
Closed

Authorization header doesn't get (automatically) sent by server fetch #880

cyderize opened this issue Sep 9, 2019 · 1 comment · Fixed by #882

Comments

@cyderize
Copy link
Contributor

cyderize commented Sep 9, 2019
edited
Loading

Describe the bug
The server middleware doesn't add in the page request's Authorization header when fetching the same domain. This means that a site relying on the Authorization header will work when the client uses fetch, but will break when doing SSR on a page.

To Reproduce
Here's an example using express and express-basic-auth with the sapper template.
In src/server.js:

import sirv from 'sirv';
import express from 'express';
import compression from 'compression';
import basicAuth from 'express-basic-auth';

import * as sapper from '@sapper/server';

const { PORT, NODE_ENV } = process.env;
const dev = NODE_ENV === 'development';

const staticUserAuth = basicAuth({
  users: {
    'username': 'password'
  },
  challenge: true
})

express() // You can also use Express
  .use(
    compression({ threshold: 0 }),
    sirv('static', { dev }),
    staticUserAuth,
    sapper.middleware()
  )
  .listen(PORT, err => {
    if (err) console.log('error', err);
  });

In src/routes/blog/[slug].svelte, change line 5:

const res = await this.fetch(`blog/${params.slug}.json`, { credentials: 'same-origin' });

You may also need to remove the service worker to stop it from interfering with the authentication process. The repo I used can be found here.

After logging in with the username username and the password password, if you click the hyperlink to the blog page, the content loads as expected because the browser adds the Authorization header because the request is for the same domain.

However, if you refresh /blog to perform ssr then it will display a 500 error because the server does not send an Authorization header to blog.json.

Expected behavior
The server middleware should send the Authorization header when the domain of its initial request matches the domain of the URL being fetched.

Additional context
I'm developing a web app using Firebase, and making use of the service worker to inject an Authorization header with the logged in user's authentication ID Token. This then gets verified by some middleware on the server. This approach means I don't have to deal with session cookies and keeping them in sync with Firebase auth and also negates the need for CSRF tokens. However, the server throws away the Authorization header at the moment, making it impossible for me to use ssr for authenticated routes.
@cyderize cyderize changed the title Authorization header doesn't get sent by server fetch Authorization header doesn't get (automatically) sent by server fetch Sep 9, 2019
@cyderize cyderize mentioned this issue Sep 9, 2019
Merged
@Conduitry
Copy link
Member

Fixed in 0.27.14.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix server fetch behaviour cyderize/sapper
2 participants
@cyderize @Conduitry