packages/fxa-auth-client/lib/client.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -264,13 +264,21 @@ export default class AuthClient { @@
         }
         extraHeaders.set('Content-Type', 'application/json');
+        // Only include credentials for specific endpoints that may trigger WAF challenges
+        const includeCredentials = [
+          '/account/create',
+          '/password/forgot/send_otp',
+        ].some((endpoint) => path.includes(endpoint));
         try {
           const response = await fetchOrTimeout(
             this.url(path),
             {
               method,
               headers: extraHeaders,
               body: cleanStringify(payload),
+              credentials: includeCredentials ? 'include' : 'same-origin',
             },
             this.timeout
           );
@@ Expand Down @@

packages/fxa-auth-server/lib/server.js

-Original file line number
+Diff line change
@@ Expand Up @@
             // If we're accepting CORS from any origin then use Hapi's "ignore" mode,
             // which is more forgiving of missing Origin header.
             origin: config.corsOrigin[0] === '*' ? 'ignore' : config.corsOrigin,
+            credentials: true,
           },
           security: {
             hsts: {
@@ Expand Down @@

feat(auth): include credentials for fetch request #20003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

toufali wants to merge 1 commit into main from include-credentials-for-auth-request

+9 −0

-Original file line number
+Diff line change
@@ Expand Up / @@ -264,13 +264,21 @@ export default class AuthClient { @@
         }
         extraHeaders.set('Content-Type', 'application/json');
+        // Only include credentials for specific endpoints that may trigger WAF challenges
+        const includeCredentials = [
+          '/account/create',
+          '/password/forgot/send_otp',
+        ].some((endpoint) => path.includes(endpoint));
         try {
           const response = await fetchOrTimeout(
             this.url(path),
             {
               method,
               headers: extraHeaders,
               body: cleanStringify(payload),
+              credentials: includeCredentials ? 'include' : 'same-origin',
             },
             this.timeout
           );
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
             // If we're accepting CORS from any origin then use Hapi's "ignore" mode,
             // which is more forgiving of missing Origin header.
             origin: config.corsOrigin[0] === '*' ? 'ignore' : config.corsOrigin,
+            credentials: true,
           },
           security: {
             hsts: {
@@ Expand Down @@

Provide feedback