-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACCESS STATIC RESOURCE WILL CAUSE LOSING SESSION from EGG-PASSPORT #4851
Comments
Hello @minhthinhls. Please provide a reproducible example following the instruction. Issues labeled by @minhthinhls,请根据这个说明提供最小可复现代码。 如果在 7 天内没有进展会被自动关闭。 |
Suppose I have an Axios Instance from CLIENT Side. Which been initialized with the following code. When I enable withCredential === true, the HTTP Instance will indeed tend to use cookie to store EGG_SESS, but that's the case for Request with POST and GET. Also when const httpInstance = axios.create({
timeout: 60000,
baseURL: CONFIG.http.baseURL,
withCredentials: true, // <-- Please have a look into this flag.
headers: {
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
},
});
httpInstance.defaults.headers.common.isLoading = true;
httpInstance.defaults.headers.common.successAlert = false;
httpInstance.defaults.headers.common.errorAlert = true;
Object.setPrototypeOf(httpInstance, axios); For Egg-Server, the following configuration inside config.default.ts will be export default (appInfo: EggAppInfo): RecursivePartial<IEggAppConfig> => ({
security: {
csrf: false,
domainWhiteList: ['*'],
},
/** @see {@link https://github.com/eggjs/egg-cors/blob/master/app.js/} */
cors: {
/** @type {function(ctx: Context): void} */
origin: (ctx: Context): string => {
/** - Origin is `${protocol}://${hostname}:${port}` !*/
const origin = ctx.get('origin');
/** Block Client Request when `Request Headers: Origin` got omitted !*/
if (!origin) {
return "";
}
if (typeof ctx.isSafeDomain !== 'function') {
return origin;
}
/** @see {@link https://www.w3schools.com/nodejs/nodejs_url.asp} */
const parsedUrl = new URL(origin);
if (ctx.isSafeDomain(parsedUrl.hostname) || ctx.isSafeDomain(origin)) {
return origin;
}
/** Default Blocking Unsafe Request from Client !*/
return "";
},
credentials: true,
allowMethods: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE', 'PATCH', 'OPTIONS'].join(","),
allowHeaders: [
'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials',
'Accept', 'Authorization', 'Content-Type', 'X-Requested-With', 'Origin',
'cancelRequest', 'errorAlert', 'successAlert', 'isLoading', 'responseType', 'token',
].join(","),
exposeHeaders: 'Content-Disposition',
},
}); |
What happens?
Currently I Enable Allowing Credentials from Client to enable Passport Deserialize Methods to run. If no Cookie it will not run !
But when a request with Static resources as Image fired to Server, the server will remove old session and response back to client new session (inside cookie) . Hence user got kicked out of session.
The text was updated successfully, but these errors were encountered: