Closed PaulDotterer closed 1 month ago
Setting header "X-Fallback-Cookies" without "cookieFallback" inside localStorage always sets the header to blank string.
Signin user inside +page.server.js form action and set returned cookies on the response object with "httpsOnly" flag set to false
export const actions = { login: async ({ request, cookies }) => { const data = Object.fromEntries(await request.formData()); try { const response = await fetch(`${AppwriteEndpoint}/account/sessions/email`, { method: 'POST', headers: { 'x-appwrite-project': AppwriteProject, 'Content-Type': 'application/json' }, body: JSON.stringify({ email: data.email password: data.password }) }); const json = await response.json(); const cookiesArray = splitCookiesString(response.headers.get('set-cookie')); const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie)); for (const cookie of cookiesParsed) { cookies.set(cookie.name, cookie.value, { domain: cookie.domain, secure: cookie.secure, sameSite: cookie.sameSite, path: '/', maxAge: cookie.maxAge, httpOnly: false, expires: cookie.expires }); } } catch (e) { console.log(e); } } };
Load value from the previously set cookie inside +page.svelte file and add header.
const cookiesArray = splitCookiesString(document.cookie, ';'); const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie)); cookiesParsed.map((cookie) => { if (cookie.name === 'a_session_' + AppwriteProject) { AppwriteService.setSession(cookie.value); } });
Appwrite.setSession function:
setSession: (hash) => { const authCookies = {}; authCookies['a_session_' + AppwriteProject] = hash; client.headers['X-Fallback-Cookies'] = JSON.stringify(authCookies); }
The header "X-Fallback-Cookies" gets set to the loaded value and a client side request will be send with the header present.
Since the localstorage is empty the provided value gets overridden with an empty string and the request will fail with a 401 error.
i believe the bug happens inside client.ts on line 373-375:
if (typeof window !== 'undefined' && window.localStorage) { headers['X-Fallback-Cookies'] = window.localStorage.getItem('cookieFallback') ?? ''; }
there is no check if "X-Fallback-Cookies" is present at the time of the request so the value will always be overwritten if window and window.localStorage return true.
Different version (specify in environment)
MacOS
Sveltekit 1.22.3 Appwrite 1.3.7 Appwrite Client: 11.0.0
๐ Reproduction steps
Setting header "X-Fallback-Cookies" without "cookieFallback" inside localStorage always sets the header to blank string.
Signin user inside +page.server.js form action and set returned cookies on the response object with "httpsOnly" flag set to false
Load value from the previously set cookie inside +page.svelte file and add header.
Appwrite.setSession function:
๐ Expected behavior
The header "X-Fallback-Cookies" gets set to the loaded value and a client side request will be send with the header present.
๐ Actual Behavior
Since the localstorage is empty the provided value gets overridden with an empty string and the request will fail with a 401 error.
i believe the bug happens inside client.ts on line 373-375:
there is no check if "X-Fallback-Cookies" is present at the time of the request so the value will always be overwritten if window and window.localStorage return true.
๐ฒ Appwrite version
Different version (specify in environment)
๐ป Operating system
MacOS
๐งฑ Your Environment
Sveltekit 1.22.3 Appwrite 1.3.7 Appwrite Client: 11.0.0
๐ Have you spent some time to check if this issue has been raised before?
๐ข Have you read the Code of Conduct?