Fix for client during browser-authentication#128
Open
andreasmuenster wants to merge 3 commits into
Open
Conversation
Two fixes for systems where standard vsp write operations fail: 1. CSRF token: HEAD→GET fallback (fixes oisee#104) fetchCSRFToken() uses HEAD for speed. On systems where the ICF handler CL_ADT_WB_RES_APP does not implement HEAD (returns 400 or 403 without a token), fall back to GET automatically — which is what Eclipse ADT uses. HEAD is still tried first; only if it returns no usable token does the GET happen, so fast systems are unaffected. 2. Secure-cookie stripping for HTTP reverse proxies SAP systems behind nginx/other HTTP proxies often set session cookies with the Secure flag. Go's standard cookiejar refuses to send Secure cookies over plain HTTP, so the session cookie never reaches SAP on subsequent requests and the CSRF token appears expired. httpCookieJar strips the Secure flag when storing cookies received over HTTP, allowing the session to be maintained. 3. SAP_SESSION_TYPE env var (partial fix for oisee#88) Exposes adt.SessionType via SAP_SESSION_TYPE (stateful|stateless| keep). Setting stateful forces X-sap-adt-sessiontype: stateful on every request, which keeps lock handles valid across the Lock→Write sequence on systems that require it. Invalid values emit a warning to stderr instead of silently falling back. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This reverts commit 29a257b.
|
Nice improvement! This has been a bit of a pain to do until now 👏 |
barkow15
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brower-Authentication didn't support multiple/different clients.
The cookie was set for the "default" client and the tools call (using the cookies) used the cookie provided from the default clienat for a different client (which leads to non-auth and different session errors during mcp-usage).
Fix was: added the ?sap-client= to the url via url.Query during cookie retrieval - so the cookie matches the correct client.
go test ./... ran fine.
BR
Andi