search

AnWeber / vscode-httpyac

Quickly and easily send REST, Soap, GraphQL, GRPC, MQTT and WebSocket requests directly within Visual Studio Code
https://marketplace.visualstudio.com/items?itemName=anweber.vscode-httpyac
MIT License
222 stars 20 forks source link

Cookie not in this host's domain #274

Closed sgaliamov closed 2 months ago

sgaliamov commented 2 months ago

I have an issue using the extension when the actual API is hidden behind Azure API Management service.

I'm making this request:

GET https://apim-BACKEND-SERVICE.azure-api.net/
Authorization: {{token}}

But get error about cookies:

OR: RequestError - Cookie not in this host's domain. Cookie:app-BACKEND-SERVICE.azurewebsites.net Request:apim-BACKEND-SERVICE.azure-api.net
RequestError: Cookie not in this host's domain. Cookie:app-BACKEND-SERVICE.azurewebsites.net Request:apim-BACKEND-SERVICE.azure-api.net
    at Sj._beforeError (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:18474)
    at Sj._onResponseBase (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:12741)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Sj._onResponse (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:14359)
    at r.setCookie (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:159:9241)
    at c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:141:148102
    at new Promise (<anonymous>)
    at r.setCookie (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:141:148002)
    at c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:12615
    at Array.map (<anonymous>)
    at Sj._onResponseBase (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:12590)
    at Sj._onResponse (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:14370)
    at ClientRequest.<anonymous> (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:164:14580)
    at Object.onceWrapper (node:events:632:26)
    at ClientRequest.emit (node:events:529:35)
    at l.emit (c:\Users\u01sga\.vscode\extensions\anweber.vscode-httpyac-6.12.1\dist\extension.js:159:31404)
    at HTTPParser.parserOnIncomingClient [as onIncoming] (node:_http_client:700:27)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17)
    at TLSSocket.socketOnData (node:_http_client:541:22)
    at TLSSocket.emit (node:events:517:28)
    at addChunk (node:internal/streams/readable:335:12)
    at readableAddChunk (node:internal/streams/readable:308:9)
    at Readable.push (node:internal/streams/readable:245:10)
    at TLSWrap.onStreamRead (node:internal/stream_base_commons:190:23)

Console log:

ERROR: {"url":"https://apim-XXX.azure-api.net","protocol":"HTTP","method":"GET","headers":{"Authorization":"Bearer eyJ0eXA....","Accept":"*/*","User-Agent":"httpyac"},"options":{"cookieJar":{"version":"tough-cookie@4.1.3","storeType":"wE","rejectPublicSuffixes":false,"enableLooseMode":false,"allowSpecialUseDomain":true,"prefixSecurity":"silent","cookies":[{"key":"fpc","value":".....","expires":"2024-05-14T16:51:21.000Z","domain":"login.microsoftonline.com","path":"/","secure":true,"httpOnly":true,"hostOnly":true,"creation":"2024-04-14T16:51:21.474Z","lastAccessed":"2024-04-14T16:51:21.474Z","sameSite":"none"},{"key":"x-ms-gateway-slice","value":"estsfd","domain":"login.microsoftonline.com","path":"/","secure":true,"httpOnly":true,"hostOnly":true,"creation":"2024-04-14T16:51:21.475Z","lastAccessed":"2024-04-14T16:51:21.475Z","sameSite":"none"},{"key":"stsservicecookie","value":"estsfd","domain":"login.microsoftonline.com","path":"/","secure":true,"httpOnly":true,"hostOnly":true,"creation":"2024-04-14T16:51:21.475Z","lastAccessed":"2024-04-14T16:51:21.475Z","sameSite":"none"}]},"hooks":{"beforeRedirect":[null,null],"beforeRequest":[null,null]}},"proxy":""}

For some reason APIM exposes information about underlying service. Probably, it is not right, but I don't have direct control over the instance of APIM.

I think it should not matter at the end as the same request works totally fine in other http clients lake Postman or REST Client.

And it works fine in curl:

curl -v --request GET \
  --url https://apim-BACKEND-SERVICE.azure-api.net \
  --header 'Accept: */*' \
  --header 'Authorization: Bearer eyJ0eXA.....' \
  --header 'User-Agent: httpyac'

* Host apim-BACKEND-SERVICE.azure-api.net:443 was resolved.
* IPv6: (none)
* IPv4: 20.224.76.234
*   Trying 20.224.76.234:443...
* Connected to apim-BACKEND-SERVICE.azure-api.net (20.224.76.234) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp384r1 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=*.azure-api.net
*  start date: Mar  1 18:04:55 2024 GMT
*  expire date: Feb 24 18:04:55 2025 GMT
*  subjectAltName: host "apim-BACKEND-SERVICE.azure-api.net" matched cert's "*.azure-api.net"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure RSA TLS Issuing CA 04
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET / HTTP/1.1
> Host: apim-BACKEND-SERVICE.azure-api.net
> Accept: */*
> Authorization: Bearer eyJ0eXAiOiJK....
> User-Agent: httpyac
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=utf-8
< Set-Cookie: ARRAffinity=6f27b92dd8bce13e55ecabe9082f50999260186a60dac081a691ca4a1657912c;Path=/;HttpOnly;Secure;Domain=app-BACKEND-SERVICE.azurewebsites.net
< Set-Cookie: ARRAffinitySameSite=6f27b92dd8bce13e55ecabe9082f50999260186a60dac081a691ca4a1657912c;Path=/;HttpOnly;SameSite=None;Secure;Domain=app-BACKEND-SERVICE.azurewebsites.net
< Request-Context: appId=cid-v1:100f597e-acb6-4859-9828-00de061ce4a4
< Date: Sun, 14 Apr 2024 16:53:20 GMT
<
* Connection #0 to host apim-BACKEND-SERVICE.azure-api.net left intact
{"data":{...}}}%

The most interesting part here:

...
< Set-Cookie: ARRAffinity=6f27b92dd8bce13e55ecabe9082f50999260186a60dac081a691ca4a1657912c;Path=/;HttpOnly;Secure;Domain=app-BACKEND-SERVICE.azurewebsites.net
< Set-Cookie: ARRAffinitySameSite=6f27b92dd8bce13e55ecabe9082f50999260186a60dac081a691ca4a1657912c;Path=/;HttpOnly;SameSite=None;Secure;Domain=app-BACKEND-SERVICE.azurewebsites.net
...

in ARRAffinitySameSite it exposes the actual backend url. I think, the library does some validation under the hood.

Ideally it should not, or there should be a way to disable it.

sgaliamov commented 2 months ago

nevermind, I've found "httpyac.cookieJarEnabled": false setting. looks like it helps.