Send Cookie with setUpload function POST request

kqito / use-tus

React hooks for resumable file uploads using tus

https://kqito.github.io/use-tus/?path=/story/usetus--basic

MIT License

101 stars 8 forks source link

Send Cookie with setUpload function POST request #53

Open arsvprem opened 2 weeks ago

arsvprem commented 2 weeks ago

How do I include my auth-cookie when I trigger setUpload function? My backend needs a session token to authenticate. Currently, it doesn't seem to include my cookie be default

dkmorgan commented 2 weeks ago

I had the same issue, but managed after digging through some posts on how to use tus-js-client. Pass in your own onBeforeRequest() into TusHooksUploadOptions:

onBeforeRequest: req => {
  const xhr = req.getUnderlyingObject()
  xhr.withCredentials = true
  xhr.setRequestHeader("Header Name", token)
}

kqito commented 2 weeks ago

Thank you for your issue!

As @dkmorgan mentioned, we can use cookies by enabling xhr.withCredentials in the onBeforeRequest method, which is described in the tus-js-client documentation.

This can be used to modify the outgoing request. For example, you can enable the withCredentials setting for XMLHttpRequests in browsers:

https://github.com/tus/tus-js-client/blob/main/docs/api.md#onbeforerequest

Could you take a look at it once, please?

arsvprem commented 2 weeks ago

Great, Thanks for your help folks. With above solution, I think I got one half of the issue fixed. I can successfully authenticate to my backend and get uploadURL (Location) header for a video stream provider. Here is the issue - I guess the 2nd request going to upload url also has withCredentials=true set and because of which CORS fails, since provider has set their access-control-allow-origin: * which is causing a conflict. Anyway I can make withCredentials=false on the second request?

upload:1 Access to XMLHttpRequest at 'https://uploadurl' from origin 'http://localhost:5173' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

arsvprem commented 2 weeks ago

Sorry, I accidentally closed the issue

dkmorgan commented 2 weeks ago

Is it your preflight request (OPTIONS method) that is being blocked? If it is, you can add a condition by checking the method that is used for the request. Something like this:

if (req.getMethod() === 'POST') {
  xhr.withCredentials = true
}

arsvprem commented 2 weeks ago

Working perfectly now. Thanks folks. I thought I'd never be able to fix this. You folks are awesome!

arsvprem commented 2 weeks ago

FYI, I had to use req instead of xhr for the conditional - if (req.getMethod() === 'POST')

dkmorgan commented 2 weeks ago

FYI, I had to use req instead of xhr for the conditional - if (req.getMethod() === 'POST')

Oops, apologies for that. Corrected the example in my comment!