search

flawiddsouza / Restfox

Offline-First Minimalistic HTTP & Socket Testing Client for the Web & Desktop
https://restfox.dev
MIT License
2.01k stars 99 forks source link

Cookie auth #120

Open kkkrist opened 6 months ago

kkkrist commented 6 months ago

Hi,

what do you think about adding a cookie auth option?

By default, fetch requests ignore set-cookie headers in responses and don't send stored cookies via the cookie header. Both can be enabled by setting the credentials fetch option to "same-origin" or "include".

I'm imagining an additional option called "Cookies" in the "Auth" tab which lets the user select the credentials option to add to all relevant fetch calls.

What would be the outline to implement this best?

flawiddsouza commented 5 months ago

Hi @kkkrist, I would assume this would work only for sites that allow cross origin cookies. same-origin option can't work as the cookies would need to originate from restfox.dev. Are you using restfox through the web at restfox.dev? I cannot envision what would be present in the Cookies option in Auth. You can only tell fetch to include credentials. There's no way to pass specific credentials to fetch. So I'm not sure how the user would be able to select credentials they want.

A proper cookie system can only be implemented in the desktop version of Restfox, as it has no CORS limitations. It already allows you to send the Cookie header in your requests. We just need to expand it to have a Cookie Manager. So Set-Cookie requests are stored and used by the requests.

kkkrist commented 5 months ago

Thank you for your reply! Yes, I'm using restfox.dev and/or a self-hosted version of the same. "same-origin" only works if you self-host on the same domain as the API (so not restfox.dev). "include" however works anywhere, given the API server sets CORS headers accordingly.

It could well be that I've missed something, but I think it would be enough to make the Cookies option a boolean setting that just causes the credentials option to be set to "include" in the the fetch call options (fetch("https://api.com/", { credentials: "include" })). With that setting, the browser will store cookies requested via Set-Cookie headers in responses and also attach them via Cookie headers in subsequent requests just like with ordinary non-fetch/-xhr requests. So no need to manage cookies. I've tested it by hard-coding it into the fetch calls and it worked for me.

eznix86 commented 5 months ago

Looks like a toggle to me. @kkkrist Maybe you can add a custom option in the settings "Allow CORS calls". Then link it to this: https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials#include