Skip to content

Commit ae877d4

Browse files
authored
Merge pull request #20003 from mozilla/include-credentials-for-auth-request
feat(auth): include credentials for certain fetch requests
2 parents 135775a + 008a155 commit ae877d4

7 files changed

Lines changed: 38 additions & 22 deletions

File tree

packages/fxa-auth-client/lib/client.ts

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -264,14 +264,27 @@ export default class AuthClient {
264264
}
265265

266266
extraHeaders.set('Content-Type', 'application/json');
267+
268+
const requestOptions: RequestInit = {
269+
method,
270+
headers: extraHeaders,
271+
body: cleanStringify(payload),
272+
};
273+
274+
// For specific endpoints + HTTPS, upgrade credentials to include cookies for WAF challenges
275+
const includeCredentials = [
276+
'/account/create',
277+
'/password/forgot/send_otp',
278+
].some((endpoint) => path.startsWith(endpoint));
279+
280+
if (includeCredentials && new URL(this.uri).protocol === 'https:') {
281+
requestOptions.credentials = 'include';
282+
}
283+
267284
try {
268285
const response = await fetchOrTimeout(
269286
this.url(path),
270-
{
271-
method,
272-
headers: extraHeaders,
273-
body: cleanStringify(payload),
274-
},
287+
requestOptions,
275288
this.timeout
276289
);
277290
const result = JSON.parse(await response.text());

packages/fxa-auth-client/package.json

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,15 +45,11 @@
4545
},
4646
"author": "",
4747
"license": "MPL-2.0",
48-
"dependencies": {
49-
"node-fetch": "^2.6.7"
50-
},
5148
"devDependencies": {
5249
"@types/assert": "^1.5.4",
5350
"@types/fast-text-encoding": "^1",
5451
"@types/mocha": "^10",
5552
"@types/node": "^22.13.5",
56-
"@types/node-fetch": "^2.5.7",
5753
"@types/prettier": "^2",
5854
"esbuild": "^0.17.15",
5955
"esbuild-register": "^3.5.0",

packages/fxa-auth-client/server.ts

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
import http from 'http';
22
import https from 'https';
3-
import fetch, { Headers } from 'node-fetch';
43
import AuthClient from './lib/client';
54

65
http.globalAgent = new http.Agent({
@@ -10,11 +9,6 @@ https.globalAgent = new https.Agent({
109
keepAlive: true,
1110
});
1211

13-
// @ts-ignore
14-
global.fetch = fetch;
15-
// @ts-ignore
16-
global.Headers = Headers;
17-
1812
export default AuthClient;
1913
export * from './lib/client';
2014
export * from './lib/hawk';

packages/fxa-auth-client/tsconfig.base.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"extends": "../../tsconfig.base.json",
33
"compilerOptions": {
4-
"types": ["mocha"]
4+
"types": ["mocha", "node"]
55
},
66
"include": ["./lib/**/*", "./server.ts"],
77
"exclude": ["dist", "node_modules"]

packages/fxa-auth-server/lib/routes/account.ts

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -423,8 +423,7 @@ export class AccountHandler {
423423
service: form.service || query.service,
424424
});
425425
} else {
426-
console.debug('falling back')
427-
const sent = await this.mailer.sendVerifyEmail([], account, {
426+
await this.mailer.sendVerifyEmail([], account, {
428427
code: account.emailCode,
429428
service: form.service || query.service,
430429
redirectTo: form.redirectTo,
@@ -446,7 +445,6 @@ export class AccountHandler {
446445
uaDeviceType: sessionToken.uaDeviceType,
447446
uid: sessionToken.uid,
448447
});
449-
console.debug('falling back sent!', sent);
450448
}
451449
}
452450
}
@@ -2521,12 +2519,21 @@ export const accountRoutes = (
25212519
statsd,
25222520
authServerCacheRedis
25232521
);
2522+
2523+
// Enable CORS credentials only when using explicit origins (not wildcard, per CORS spec)
2524+
const enableCredentials = config.corsOrigin && config.corsOrigin[0] !== '*';
2525+
25242526
const routes = [
25252527
{
25262528
method: 'POST',
25272529
path: '/account/create',
25282530
options: {
25292531
...ACCOUNT_DOCS.ACCOUNT_CREATE_POST,
2532+
...(enableCredentials && {
2533+
cors: {
2534+
credentials: true,
2535+
},
2536+
}),
25302537
validate: {
25312538
query: isA.object({
25322539
keys: isA.boolean().optional().description(DESCRIPTION.keys),

packages/fxa-auth-server/lib/routes/password.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,9 @@ module.exports = function (
7979
: db.updatePasswordForgotToken(passwordForgotToken);
8080
}
8181

82+
// Enable CORS credentials only when using explicit origins (not wildcard, per CORS spec)
83+
const enableCredentials = config.corsOrigin && config.corsOrigin[0] !== '*';
84+
8285
const routes = [
8386
{
8487
method: 'POST',
@@ -995,6 +998,11 @@ module.exports = function (
995998
path: '/password/forgot/send_otp',
996999
options: {
9971000
...PASSWORD_DOCS.PASSWORD_FORGOT_SEND_OTP_POST,
1001+
...(enableCredentials && {
1002+
cors: {
1003+
credentials: true,
1004+
},
1005+
}),
9981006
validate: {
9991007
query: isA.object({
10001008
service: validators.service.description(DESCRIPTION.serviceRP),

yarn.lock

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22980,7 +22980,7 @@ __metadata:
2298022980
languageName: node
2298122981
linkType: hard
2298222982

22983-
"@types/node-fetch@npm:^2.5.7, @types/node-fetch@npm:^2.6.1, @types/node-fetch@npm:^2.6.4":
22983+
"@types/node-fetch@npm:^2.6.1, @types/node-fetch@npm:^2.6.4":
2298422984
version: 2.6.12
2298522985
resolution: "@types/node-fetch@npm:2.6.12"
2298622986
dependencies:
@@ -35450,15 +35450,13 @@ __metadata:
3545035450
"@types/fast-text-encoding": "npm:^1"
3545135451
"@types/mocha": "npm:^10"
3545235452
"@types/node": "npm:^22.13.5"
35453-
"@types/node-fetch": "npm:^2.5.7"
3545435453
"@types/prettier": "npm:^2"
3545535454
esbuild: "npm:^0.17.15"
3545635455
esbuild-register: "npm:^3.5.0"
3545735456
eslint: "npm:^8.38.0"
3545835457
eslint-config-react-app: "npm:^7.0.1"
3545935458
fast-text-encoding: "npm:^1.0.4"
3546035459
mocha: "npm:^10.4.0"
35461-
node-fetch: "npm:^2.6.7"
3546235460
prettier: "npm:^3.5.3"
3546335461
typescript: "npm:5.5.3"
3546435462
languageName: unknown

0 commit comments

Comments
 (0)