Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACCESS STATIC RESOURCE WILL CAUSE LOSING SESSION from EGG-PASSPORT #4851

Open
minhthinhls opened this issue Jan 4, 2022 · 2 comments
Open

Comments

@minhthinhls
Copy link

What happens?

Currently I Enable Allowing Credentials from Client to enable Passport Deserialize Methods to run. If no Cookie it will not run !
But when a request with Static resources as Image fired to Server, the server will remove old session and response back to client new session (inside cookie) . Hence user got kicked out of session.

@egg-bot
Copy link

egg-bot commented Jan 4, 2022

Hello @minhthinhls. Please provide a reproducible example following the instruction.

Issues labeled by Need Reproduce will be closed if no activities in 7 days.


@minhthinhls,请根据这个说明提供最小可复现代码。

如果在 7 天内没有进展会被自动关闭。

@minhthinhls
Copy link
Author

Suppose I have an Axios Instance from CLIENT Side. Which been initialized with the following code. When I enable withCredential === true, the HTTP Instance will indeed tend to use cookie to store EGG_SESS, but that's the case for Request with POST and GET. Also when withCredentials === false, Egg-Passport will not trigger DESERIALIZE callback method in app.passport.deserialize(callback);
Then for the real case: I want to use the deserialize hook for intuitive code base. But since !!! When I load static resources, for example, image from egg server in directory ./app/public, and use withCredentials === true from HTTP CLient Side. The response Cookie for EGG_SESS will have different value and it override my old EGG_SESS, and thus kick me out of currently logged in state.

const httpInstance = axios.create({
	timeout: 60000,
	baseURL: CONFIG.http.baseURL,
	withCredentials: true, // <-- Please have a look into this flag.
	headers: {
		'Content-Type': 'application/json',
		'X-Requested-With': 'XMLHttpRequest',
	},
});
httpInstance.defaults.headers.common.isLoading = true;
httpInstance.defaults.headers.common.successAlert = false;
httpInstance.defaults.headers.common.errorAlert = true;
Object.setPrototypeOf(httpInstance, axios);

For Egg-Server, the following configuration inside config.default.ts will be

export default (appInfo: EggAppInfo): RecursivePartial<IEggAppConfig> => ({
  security: {
    csrf: false,
    domainWhiteList: ['*'],
  },

  /** @see {@link https://github.com/eggjs/egg-cors/blob/master/app.js/} */
  cors: {
    /** @type {function(ctx: Context): void} */
    origin: (ctx: Context): string => {
      /** - Origin is `${protocol}://${hostname}:${port}` !*/
      const origin = ctx.get('origin');
      /** Block Client Request when `Request Headers: Origin` got omitted !*/
      if (!origin) {
        return "";
      }

      if (typeof ctx.isSafeDomain !== 'function') {
        return origin;
      }

      /** @see {@link https://www.w3schools.com/nodejs/nodejs_url.asp} */
      const parsedUrl = new URL(origin);
      if (ctx.isSafeDomain(parsedUrl.hostname) || ctx.isSafeDomain(origin)) {
        return origin;
      }

      /** Default Blocking Unsafe Request from Client !*/
      return "";
    },
    credentials: true,
    allowMethods: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE', 'PATCH', 'OPTIONS'].join(","),
    allowHeaders: [
      'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials',
      'Accept', 'Authorization', 'Content-Type', 'X-Requested-With', 'Origin',
      'cancelRequest', 'errorAlert', 'successAlert', 'isLoading', 'responseType', 'token',
    ].join(","),
    exposeHeaders: 'Content-Disposition',
  },
});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants