🐛 Bug Report: setting header "X-Fallback-Cookies" gets overwritten on request

Question

🐛 Bug Report: setting header "X-Fallback-Cookies" gets overwritten on request

PaulDotterer opened this issue a year ago · 0 comments

👟 Reproduction steps

Setting header "X-Fallback-Cookies" without "cookieFallback" inside localStorage always sets the header to blank string.

Signin user inside +page.server.js form action and set returned cookies on the response object with "httpsOnly" flag set to false

export const actions = {
	login: async ({ request, cookies }) => {
		const data = Object.fromEntries(await request.formData());
		try {
			const response = await fetch(`${AppwriteEndpoint}/account/sessions/email`, {
				method: 'POST',
				headers: {
					'x-appwrite-project': AppwriteProject,
					'Content-Type': 'application/json'
				},
				body: JSON.stringify({
					email: data.email
					password: data.password
				})
			});
			const json = await response.json();
			const cookiesArray = splitCookiesString(response.headers.get('set-cookie'));
			const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie));
			for (const cookie of cookiesParsed) {
				cookies.set(cookie.name, cookie.value, {
					domain: cookie.domain,
					secure: cookie.secure,
					sameSite: cookie.sameSite,
					path: '/',
					maxAge: cookie.maxAge,
					httpOnly: false,
					expires: cookie.expires
				});
			}
			
		} catch (e) {
			console.log(e);
		}
	}
};

Load value from the previously set cookie inside +page.svelte file and add header.

const cookiesArray = splitCookiesString(document.cookie, ';');
		const cookiesParsed = cookiesArray.map((cookie) => parseString(cookie));

		cookiesParsed.map((cookie) => {
			if (cookie.name === 'a_session_' + AppwriteProject) {
				AppwriteService.setSession(cookie.value);
			}
		});

Appwrite.setSession function:

setSession: (hash) => {
		const authCookies = {};
		authCookies['a_session_' + AppwriteProject] = hash;
		client.headers['X-Fallback-Cookies'] = JSON.stringify(authCookies);
	}

👍 Expected behavior

The header "X-Fallback-Cookies" gets set to the loaded value and a client side request will be send with the header present.

👎 Actual Behavior

Since the localstorage is empty the provided value gets overridden with an empty string and the request will fail with a 401 error.

i believe the bug happens inside client.ts on line 373-375:

if (typeof window !== 'undefined' && window.localStorage) {
            headers['X-Fallback-Cookies'] = window.localStorage.getItem('cookieFallback') ?? '';
        }

there is no check if "X-Fallback-Cookies" is present at the time of the request so the value will always be overwritten if window and window.localStorage return true.

🎲 Appwrite version

Different version (specify in environment)

💻 Operating system

MacOS

🧱 Your Environment

Sveltekit 1.22.3
Appwrite 1.3.7
Appwrite Client: 11.0.0

👀 Have you spent some time to check if this issue has been raised before?

I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

I have read the Code of Conduct