Reconsider necessity of having public origin redirects in POST apis

authgear / authgear-server

Open source alternative to Auth0 / Firebase Auth

https://www.authgear.com

Apache License 2.0

81 stars 37 forks source link

Reconsider necessity of having public origin redirects in POST apis #3459

Open tung2744 opened 1 year ago

tung2744 commented 1 year ago

Some http clients, such as https://api.flutter.dev/flutter/dart-io/HttpClientRequest/followRedirects.html Will not follow redirects on POST requests. Therefore returning 308 in POST apis may cause problems. If it is not necessary, lets remove it.

fungc-io commented 12 months ago

Affecting:

Auth flow
Admin API
Self deploy
Not using latest SDK to call authgear endpoints

tung2744 commented 12 months ago

After discussion, we will handle as follow:

When using database config source, as the host will be used to map to app id, it must be a valid host if he successfully call an api. So redirect is not needed.

When using file system config source, we should only redirect if "trust proxy" config is false.