From e6456e3a29972adeeca4f4ec9d5fb2bb8d74d198 Mon Sep 17 00:00:00 2001 From: Amri Toufali Date: Thu, 5 Feb 2026 08:28:33 -0800 Subject: [PATCH] feat(auth): include credentials for fetch request --- packages/fxa-auth-client/lib/client.ts | 8 ++++++++ packages/fxa-auth-server/lib/server.js | 2 ++ 2 files changed, 10 insertions(+) diff --git a/packages/fxa-auth-client/lib/client.ts b/packages/fxa-auth-client/lib/client.ts index 99217660dde..1d66e8c8427 100644 --- a/packages/fxa-auth-client/lib/client.ts +++ b/packages/fxa-auth-client/lib/client.ts @@ -264,6 +264,13 @@ export default class AuthClient { } extraHeaders.set('Content-Type', 'application/json'); + + // Only include credentials for specific endpoints that may trigger WAF challenges + const includeCredentials = [ + '/account/create', + '/password/forgot/send_otp', + ].some((endpoint) => path.includes(endpoint)); + try { const response = await fetchOrTimeout( this.url(path), @@ -271,6 +278,7 @@ export default class AuthClient { method, headers: extraHeaders, body: cleanStringify(payload), + credentials: includeCredentials ? 'include' : 'same-origin', }, this.timeout ); diff --git a/packages/fxa-auth-server/lib/server.js b/packages/fxa-auth-server/lib/server.js index f9eb3db0ce3..d5a9a119e6b 100644 --- a/packages/fxa-auth-server/lib/server.js +++ b/packages/fxa-auth-server/lib/server.js @@ -129,6 +129,8 @@ async function create(log, error, config, routes, db, statsd, glean, customs) { // If we're accepting CORS from any origin then use Hapi's "ignore" mode, // which is more forgiving of missing Origin header. origin: config.corsOrigin[0] === '*' ? 'ignore' : config.corsOrigin, + // Only enable credentials when not using wildcard origin (CORS spec requirement) + credentials: config.corsOrigin[0] === '*' ? false : true, }, security: { hsts: {