Skip to content

Fix for client during browser-authentication#128

Open
andreasmuenster wants to merge 3 commits into
oisee:mainfrom
andreasmuenster:main
Open

Fix for client during browser-authentication#128
andreasmuenster wants to merge 3 commits into
oisee:mainfrom
andreasmuenster:main

Conversation

@andreasmuenster

Copy link
Copy Markdown
Contributor

Brower-Authentication didn't support multiple/different clients.

The cookie was set for the "default" client and the tools call (using the cookies) used the cookie provided from the default clienat for a different client (which leads to non-auth and different session errors during mcp-usage).

Fix was: added the ?sap-client= to the url via url.Query during cookie retrieval - so the cookie matches the correct client.

go test ./... ran fine.

BR
Andi

frd1201 and others added 3 commits May 7, 2026 10:30
Two fixes for systems where standard vsp write operations fail:

1. CSRF token: HEAD→GET fallback (fixes oisee#104)

   fetchCSRFToken() uses HEAD for speed. On systems where the ICF
   handler CL_ADT_WB_RES_APP does not implement HEAD (returns 400 or
   403 without a token), fall back to GET automatically — which is
   what Eclipse ADT uses. HEAD is still tried first; only if it
   returns no usable token does the GET happen, so fast systems are
   unaffected.

2. Secure-cookie stripping for HTTP reverse proxies

   SAP systems behind nginx/other HTTP proxies often set session
   cookies with the Secure flag. Go's standard cookiejar refuses to
   send Secure cookies over plain HTTP, so the session cookie never
   reaches SAP on subsequent requests and the CSRF token appears
   expired. httpCookieJar strips the Secure flag when storing cookies
   received over HTTP, allowing the session to be maintained.

3. SAP_SESSION_TYPE env var (partial fix for oisee#88)

   Exposes adt.SessionType via SAP_SESSION_TYPE (stateful|stateless|
   keep). Setting stateful forces X-sap-adt-sessiontype: stateful on
   every request, which keeps lock handles valid across the
   Lock→Write sequence on systems that require it. Invalid values
   emit a warning to stderr instead of silently falling back.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@barkow15

Copy link
Copy Markdown

Nice improvement! This has been a bit of a pain to do until now 👏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants