π Bug Report: setting header "X-Fallback-Cookies" gets overwritten on request
PaulDotterer opened this issue Β· comments
π Reproduction steps
Setting header "X-Fallback-Cookies" without "cookieFallback" inside localStorage always sets the header to blank string.
- Signin user inside +page.server.js form action and set returned cookies on the response object with "httpsOnly" flag set to false
export const actions = {
login: async ({ request, cookies }) => {
const data = Object.fromEntries(await request.formData());
try {
const response = await fetch(`${AppwriteEndpoint}/account/sessions/email`, {
method: 'POST',
headers: {
'x-appwrite-project': AppwriteProject,
'Content-Type': 'application/json'
},
body: JSON.stringify({
email: data.email
password: data.password
})
});
const json = await response.json();
const cookiesArray = splitCookiesString(response.headers.get('set-cookie'));
const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie));
for (const cookie of cookiesParsed) {
cookies.set(cookie.name, cookie.value, {
domain: cookie.domain,
secure: cookie.secure,
sameSite: cookie.sameSite,
path: '/',
maxAge: cookie.maxAge,
httpOnly: false,
expires: cookie.expires
});
}
} catch (e) {
console.log(e);
}
}
};
- Load value from the previously set cookie inside +page.svelte file and add header.
const cookiesArray = splitCookiesString(document.cookie, ';');
const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie));
cookiesParsed.map((cookie) => {
if (cookie.name === 'a_session_' + AppwriteProject) {
AppwriteService.setSession(cookie.value);
}
});
Appwrite.setSession function:
setSession: (hash) => {
const authCookies = {};
authCookies['a_session_' + AppwriteProject] = hash;
client.headers['X-Fallback-Cookies'] = JSON.stringify(authCookies);
}
π Expected behavior
The header "X-Fallback-Cookies" gets set to the loaded value and a client side request will be send with the header present.
π Actual Behavior
Since the localstorage is empty the provided value gets overridden with an empty string and the request will fail with a 401 error.
i believe the bug happens inside client.ts on line 373-375:
if (typeof window !== 'undefined' && window.localStorage) {
headers['X-Fallback-Cookies'] = window.localStorage.getItem('cookieFallback') ?? '';
}
there is no check if "X-Fallback-Cookies" is present at the time of the request so the value will always be overwritten if window and window.localStorage return true.
π² Appwrite version
Different version (specify in environment)
π» Operating system
MacOS
𧱠Your Environment
Sveltekit 1.22.3
Appwrite 1.3.7
Appwrite Client: 11.0.0
π Have you spent some time to check if this issue has been raised before?
- I checked and didn't find similar issue
π’ Have you read the Code of Conduct?
- I have read the Code of Conduct