search

EnsembleUI / ensemble

Build native apps 20x faster than Flutter, RN or any other tech
https://ensembleui.com/
BSD 3-Clause "New" or "Revised" License
125 stars 15 forks source link

Extend manageCookies from issue 1649 for web apps #1692

Open v-krupsky opened 1 month ago

v-krupsky commented 1 month ago

Context: if a cookie is provided by the API requested from Ensemble, it is not stored by the browser.

Sample request and response headers are below (body does not matter). Flutter web being run on port 9000. FastAPI BE being run on port 8000.

Request headers:

GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Host: local.example.com:8000
Origin: https://local.example.com:9000
Referer: https://local.example.com:9000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"

Response headers:

HTTP/1.1 200 OK
date: Tue, 15 Oct 2024 04:28:53 GMT
server: uvicorn
content-length: 26
content-type: application/json
set-cookie: session=660a7ec4-6c58-4394-ab98-e75923c23a11; Domain=example.com; HttpOnly; Path=/; SameSite=lax; Secure
access-control-allow-origin: https://local.example.com:9000
access-control-allow-credentials: true
access-control-allow-methods: *
access-control-allow-headers: *

Suggestion: extend manageCookies from issue https://github.com/EnsembleUI/ensemble/issues/1649 for web apps to the following behaviour: When manageCookies is true, include withCredentials = true when making API requests.

Plain JS example: fetch('https://example.com/', { credentials: 'include' });

v-krupsky commented 1 month ago

I've checked the proposed fix (withCredentials=true) by modifying http package source to make bool withCredentials = true; and it does solve the issue. Browser stores the cookie, it appears in requests to the API.

kmahmood74 commented 1 month ago

hi @TheNoumanDev Ivan found an important issue with handling cookies from different domains that we should resolve. The http flutter package we use does not support it. So we either use a different package or enhance it a bit to support it.

Here's a long discussion on this and a neat solution someone provided

We basically need to do two things -

  1. expose a property withCredentials (default: false) in our API definition. Read that (if set) to set the value of withCredentials
  2. expose an environment variable allowCrossDomainCookies. when set to true, it will automatically set withCredentials to true for all API calls. That way user doesn't have to remember to set it everytime.