http icon indicating copy to clipboard operation
http copied to clipboard

Published 20 hours ago verified publisher icon nuxt

Authorization headers set on the server are not persisted on the client

Open felixdenoix opened this issue 5 years ago • 2 comments

Version

v0.3.8

Reproduction link

https://codesandbox.io/s/priceless-voice-3mnwh

Steps to reproduce

Set Authorization headers during nuxtServerInit action in the store, they won't be present anymore in the client $http instance ($http._defaults.headers) afterwards

What is expected ?

the Authorization headers set on the $http instance server-side should be present in the $http instance client-side

What is actually happening?

the headers are empty client-side

Additional comments?

Not sure if this behaviour is intended ( and thus if its an issue) but it feels a bit odd having to set the request headers on both sides attended that I'm setting the header using the client cookies whenever available and that the client context is supposed to be hydated by the server-side data, right ?

felixdenoix avatar Jan 22 '20 16:01 felixdenoix

Hi @felixdenoix

Actually it's a normal behaviour, we don't share the state of the $http headers between client and server.

What I believe could be a nice enhancement though, is when you actually call $http.setToken() on the server (or maybe directly $http.setHeader()) to keep these updates to set it on the client directly as well.

This could have some side-effects if you only need to set some headers on the server for instance. cc @pi0

atinux avatar Feb 07 '20 07:02 atinux

Hi. I think besides side-effects, it can be a neat future but first need to discuss if it there is a general enough use-case to add this functionality to scope of http (instead of auth). Additionally, this is not a universal solution:

  • SPA and Generate modes are unsupported because Authorization flow consideration requires unique user request to be server-side rendered.
  • Authorization set by client-side, is not updating for server on next requests (unless manually setting cookies and restore on server-side again)

A simple solution, would be using a plugin instead of nuxtServerInit which by default runs on both environments, ability to access same context of nuxtServerInit. It is also possible to hydrate Authorization without need of store which i can share a code example.

One good use-case i can see for supporting this feature, is for SSR-exclusive flow that Authorization header generation is only possible on server-side.

both sides attended that I'm setting the header using the client cookies whenever available and that the client context is supposed to be hydrated by the server-side data

Security advice: Reading cookies on server (specially if they are http-only) and exposing for hydration (which makes them accessible by client js) is breaking browser security mechanisms. So be careful :)

pi0 avatar Feb 07 '20 11:02 pi0