lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard
verified publisher icon LemmyNet

[Bug]: POST /pictrs/image not possible with CORS

Open aeharding opened this issue 2 years ago • 1 comments

Requirements

  • [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • [X] Did you check to see if this issue already exists?
  • [X] Is this only a single bug? Do not put multiple bugs in one issue.
  • [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

Currently a POST to /pictrs/image requires JWT to be in cookie header.

Web clients cannot set the cookie header.

Steps to Reproduce

  1. Given a valid JWT, try to POST a new image cross origin in the browser.
  2. Observe it is impossible.

Ideally, I would be able to send JWT as a query parameter.

Technical Details

N/A

Version

0.18.1

Lemmy Instance URL

No response

aeharding avatar Jul 09 '23 20:07 aeharding

This is rather tedious. I'm not sure if the obvious fix (allow CORS credentials) is the right fix here for security reasons.

Is there no other way to pass the token to Pictrs? If we're currently using multipart forms for uploading, then a new form key could be introduced just for JSON data (including the JWT token).

An Authorization header would work best, but nothing in Lemmy currently even uses it. Everything seems to pass the token using the body or URL (which is not ideal at all).

diamondburned avatar Jul 10 '23 23:07 diamondburned

With https://github.com/LemmyNet/lemmy/pull/3818 Authorization: Bearer <jwt> header and auth cookie are supported for image upload.

Nutomic avatar Sep 28 '23 11:09 Nutomic