From 07469a427c2ce92454c1e9e0948d849255f7fa08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gast=C3=B3n=20Fournier?= Date: Tue, 15 Oct 2024 13:16:16 +0200 Subject: [PATCH] fix: same site api call with session cookie (#8435) ## About the changes This fixes #8029. How to reproduce the issue is in the ticket. The issue happens because when a web app is hosted in the same domain as Unleash UI and the web app uses unleash SDK to make requests to Unleash, the browser automatically includes the cookie in the request headers, because: - The request URL matches the cookie's Path attribute (which it does in this case). - The request is sent to the same domain (which it is, since both apps are under the same domain). And this is by design in the HTTP cookie specification: https://datatracker.ietf.org/doc/html/rfc6265 This PR avoids overriding the API user with the session user if there's already an API user in the request. It's an alternative to https://github.com/Unleash/unleash/pull/8434 Closes #8029 --- src/lib/middleware/authorization-middleware.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/lib/middleware/authorization-middleware.ts b/src/lib/middleware/authorization-middleware.ts index 5568d5c595..3fb48563e2 100644 --- a/src/lib/middleware/authorization-middleware.ts +++ b/src/lib/middleware/authorization-middleware.ts @@ -4,7 +4,6 @@ import type { LogProvider } from '../logger'; import { AuthenticationRequired } from '../server-impl'; import UnauthorizedError from '../error/unauthorized-error'; -/* eslint-disable @typescript-eslint/explicit-module-boundary-types */ const authorizationMiddleware = ( getLogger: LogProvider, baseUriPath: string, @@ -13,7 +12,7 @@ const authorizationMiddleware = ( logger.debug('Enabling Authorization middleware'); return async (req: IAuthRequest, res: Response, next: NextFunction) => { - if (req.session?.user) { + if (!req.user?.isAPI && req.session?.user) { req.user = req.session.user; return next(); }