Wesley Barroso Lopes

What I was wondering, is what is your site's workflow? Do content managers authenticate to Plone Classic to register content (Page, News...)? After this content consumed by Volto to anonymous...

@rpatterson When I already have the Volto site open in the browser and I authenticate in the Plone Site, when I return to the Volto Site, I do not see...

@tisto @sneridagh When an authenticated user makes requests to URLs like: `https://server/the-image/@@images/image` an `auth_token` cookie is sent. Why is this not enough to get a private image?

> If the API server is under the same URL, you can. @sneridagh I found a situation where, even though the api and the Volto are in the URL, this...

@sneridagh the fact is that requests to `++api++` "understand" the `auth_token` cookie and requests to other URLs do not. When I sent the `@@images` URL to Volto, I somehow managed...

I see it here: https://github.com/plone/volto/blob/f21c92ac1a9c83fa8143fb0ba7944d748d58d65d/src/helpers/Api/Api.js#L72

> the fact is that requests to ++api++ "understand" the auth_token cookie and requests to other URLs do not. So it's not Plone that understands the cookie `auth_token` for `++api++`...

@rpatterson your PR #1303 solves the `__ac` and `auth_token` cookies out of sync problem that I described in https://github.com/plone/plone.restapi/issues/148#issuecomment-1236117123 ?

> Furthermore, following the suggestion of @tiberiuichim, the implementation is configurable and eventually with config.settings.staticfiles = [] you have the previous behavior. @mamico It would be nice to document this...

@instification @tiberiuichim today I can use the variables RAZZLE_INTERNAL_API_PATH and RAZZLE_API_PATH, so that Plone requests made by the Volto server use RAZZLE_INTERNAL_API_PATH and requests made by the browser use RAZZLE_API_PATH?