Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for cookies auth #1850

Merged
merged 2 commits into from
Mar 26, 2025
Merged

feat: add support for cookies auth #1850

merged 2 commits into from
Mar 26, 2025

Conversation

kelnos
Copy link
Contributor

@kelnos kelnos commented Mar 22, 2025
edited by mrlubos
Loading

Closes #1621

Related to #231

@stackblitz StackBlitz
Copy link

stackblitz bot commented Mar 22, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 22, 2025
edited
Loading

🦋 Changeset detected

Latest commit: fe43b88

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 17 packages
Name Type
@hey-api/client-axios Patch
@hey-api/client-core Patch
@hey-api/client-fetch Patch
@hey-api/client-next Patch
@hey-api/client-nuxt Patch
@hey-api/openapi-ts Patch
@example/openapi-ts-axios Patch
@example/openapi-ts-fastify Patch
@example/openapi-ts-fetch Patch
@example/openapi-ts-sample Patch
@example/openapi-ts-tanstack-angular-query-experimental Patch
@example/openapi-ts-tanstack-react-query Patch
@example/openapi-ts-tanstack-svelte-query Patch
@example/openapi-ts-tanstack-vue-query Patch
@example/openapi-ts-next Patch
@hey-api/nuxt Patch
@example/openapi-ts-nuxt Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Mar 22, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
hey-api-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 26, 2025 10:42pm

@kelnos kelnos force-pushed the apikey-cookie-support branch from 4cff0e3 to db4cd59 Compare March 22, 2025 18:57
@kelnos kelnos changed the title Add support for API key security schemes in cookies feat: add support for API key security schemes in cookies Mar 22, 2025
mrlubos
mrlubos approved these changes Mar 22, 2025
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Mar 22, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 20.00000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 57.23%. Comparing base (2797d6c) to head (fe43b88).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
...ages/openapi-ts/src/plugins/@hey-api/sdk/plugin.ts 20.00% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1850      +/-   ##
==========================================
- Coverage   57.24%   57.23%   -0.01%     
==========================================
  Files         191      191              
  Lines       25952    25954       +2     
  Branches     1964     1964              
==========================================
  Hits        14856    14856              
- Misses      11087    11089       +2     
  Partials        9        9
Flag Coverage Δ
unittests 57.23% <20.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Mar 22, 2025
edited
Loading

Open in Stackblitz

@hey-api/client-axios

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/client-axios@1850

@hey-api/client-fetch

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/client-fetch@1850

@hey-api/client-next

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/client-next@1850

@hey-api/nuxt

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/nuxt@1850

@hey-api/client-nuxt

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/client-nuxt@1850

@hey-api/openapi-ts

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/openapi-ts@1850

@hey-api/vite-plugin

npm i https://pkg.pr.new/hey-api/openapi-ts/@hey-api/vite-plugin@1850

commit: fe43b88

@kelnos kelnos force-pushed the apikey-cookie-support branch from db4cd59 to dc80d9e Compare March 22, 2025 19:29
@kelnos
Copy link
Contributor Author

kelnos commented Mar 22, 2025

Fixed up the header truthiness check, and also added a cookie security scheme to the 3.0.x & 3.1.x test specs; hopefully that will fix the code coverage warning.

@kelnos
Copy link
Contributor Author

kelnos commented Mar 22, 2025

Strange, the built/minified code is differnt on one particular version of the macOS tests. Is that something we need to be concerned about?

Coverage also failed with a similar issue. Any thoughts?

@kelnos
Copy link
Contributor Author

kelnos commented Mar 24, 2025
edited
Loading

Hm, so this doesn't actually work, at least for cross-origin requests! Even if you include Access-Control-Allow-Header: cookie in your CORS response, the browser will not allow you to set the cookie header.

I suppose this will work if people are using this for same-origin requests, or to generate clients for use with nodejs, at least.

@kelnos
Copy link
Contributor Author

kelnos commented Mar 24, 2025

An option would be to pass credentials: 'include' in the fetch() options; this will cause it to send cookies, but it will send all cookies that are associated with the current origin, which a) doesn't sound safe to do blindly, and b) would require the that the origin even has the cookie that you want to send. Also if the cookie set as SameSite=strict I'm not sure if it will get sent (probably not?).

For me, I could have my origin (the host serving the website) directly accept and forward API requests to my API backend. The default is credentials: 'same-origin', so it should send cookies along with the request, as long as I've set that cookie on the website's domain. I can also abandon cookie auth entirely, and use HTTP basic/bearer auth, which the browser will let me set with fetch(), assuming I've set up my CORS response properly.

@mrlubos
Copy link
Member

mrlubos commented Mar 26, 2025

@kelnos hi, to clarify, is the failing CI pipeline the only thing left to resolve or are you looking for any input from me?

@kelnos
Copy link
Contributor Author

kelnos commented Mar 26, 2025

Ah, hm, I'm confused, because those tests were passing locally before, but now aren't. Maybe I forgot to commit some changed files, let's see... ah yeah, weird. Ok, let's give it a try now.

@kelnos kelnos force-pushed the apikey-cookie-support branch from dc80d9e to e82d5ad Compare March 26, 2025 20:27
@kelnos kelnos force-pushed the apikey-cookie-support branch from e82d5ad to 4cda4b8 Compare March 26, 2025 20:27
mrlubos
mrlubos approved these changes Mar 26, 2025
View reviewed changes
Copy link
Member

@mrlubos mrlubos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passed! Can you summarise if this implementation has any limitations and if there's any follow up work to be done?

@kelnos
Copy link
Contributor Author

kelnos commented Mar 26, 2025

Passed!

Hooray!

Can you summarise if this implementation has any limitations and if there's any follow up work to be done?

I don't believe there's more work to be done. The main limitation:

  • Cookie auth will not work at all for cross-origin requests when the code is run in a browser.
  • For same-origin requests, the browser will send along any cookies that are set on the domain. So if the cookie you try to send through the client is not also set on the domain from the browser's perspective (or if the values are different between what you send through the client and what is set on the browser), then it will not work.
  • This new feature will work fine with code running in node.js or some other non-browser JS runtime.

I'm happy to update this PR with a docs update to that effect if you can point me to a good place in the docs to document this.

@mrlubos
Copy link
Member

mrlubos commented Mar 26, 2025

These are generic constraints of cookies though, right? And you can always modify the underlying request to include credentials if you need to tinker with settings. So in that sense there's no extra need to document this?

@kelnos
Copy link
Contributor Author

kelnos commented Mar 26, 2025

Yes, that's true.

@mrlubos mrlubos changed the title feat: add support for API key security schemes in cookies feat: add support for cookies auth Mar 26, 2025
@mrlubos mrlubos merged commit 092215c into hey-api:main Mar 26, 2025
15 of 17 checks passed
@github-actions github-actions bot mentioned this pull request Mar 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrlubos mrlubos mrlubos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add cookies auth support
2 participants
@kelnos @mrlubos