Giters

appwrite / sdk-for-web

[READ-ONLY] Official Appwrite Web SDK 🧑

Home Page:https://appwrite.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

πŸ› Bug Report: setting header "X-Fallback-Cookies" gets overwritten on request

PaulDotterer opened this issue Β· comments

commented

πŸ‘Ÿ Reproduction steps

Setting header "X-Fallback-Cookies" without "cookieFallback" inside localStorage always sets the header to blank string.

  1. Signin user inside +page.server.js form action and set returned cookies on the response object with "httpsOnly" flag set to false
export const actions = {
	login: async ({ request, cookies }) => {
		const data = Object.fromEntries(await request.formData());
		try {
			const response = await fetch(`${AppwriteEndpoint}/account/sessions/email`, {
				method: 'POST',
				headers: {
					'x-appwrite-project': AppwriteProject,
					'Content-Type': 'application/json'
				},
				body: JSON.stringify({
					email: data.email
					password: data.password
				})
			});
			const json = await response.json();
			const cookiesArray = splitCookiesString(response.headers.get('set-cookie'));
			const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie));
			for (const cookie of cookiesParsed) {
				cookies.set(cookie.name, cookie.value, {
					domain: cookie.domain,
					secure: cookie.secure,
					sameSite: cookie.sameSite,
					path: '/',
					maxAge: cookie.maxAge,
					httpOnly: false,
					expires: cookie.expires
				});
			}
			
		} catch (e) {
			console.log(e);
		}
	}
};
  1. Load value from the previously set cookie inside +page.svelte file and add header.
const cookiesArray = splitCookiesString(document.cookie, ';');
		const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie));

		cookiesParsed.map((cookie) => {
			if (cookie.name === 'a_session_' + AppwriteProject) {
				AppwriteService.setSession(cookie.value);
			}
		});

Appwrite.setSession function:

setSession: (hash) => {
		const authCookies = {};
		authCookies['a_session_' + AppwriteProject] = hash;
		client.headers['X-Fallback-Cookies'] = JSON.stringify(authCookies);
	}

πŸ‘ Expected behavior

The header "X-Fallback-Cookies" gets set to the loaded value and a client side request will be send with the header present.

πŸ‘Ž Actual Behavior

Since the localstorage is empty the provided value gets overridden with an empty string and the request will fail with a 401 error.

i believe the bug happens inside client.ts on line 373-375:

if (typeof window !== 'undefined' && window.localStorage) {
            headers['X-Fallback-Cookies'] = window.localStorage.getItem('cookieFallback') ?? '';
        }

there is no check if "X-Fallback-Cookies" is present at the time of the request so the value will always be overwritten if window and window.localStorage return true.

🎲 Appwrite version

Different version (specify in environment)

πŸ’» Operating system

MacOS

🧱 Your Environment

Sveltekit 1.22.3
Appwrite 1.3.7
Appwrite Client: 11.0.0

πŸ‘€ Have you spent some time to check if this issue has been raised before?

  • I checked and didn't find similar issue

🏒 Have you read the Code of Conduct?