Fix bookmarklet cross-origin requests when auth is enabled#88
Open
vdaluz wants to merge 1 commit intosam1am:mainfrom
Open
Fix bookmarklet cross-origin requests when auth is enabled#88vdaluz wants to merge 1 commit intosam1am:mainfrom
vdaluz wants to merge 1 commit intosam1am:mainfrom
Conversation
When ENABLE_AUTH=true, the GOG and Ubisoft bookmarklets fail to POST game data to Backlogia because they run on external domains without the Backlogia session cookie. Three related fixes: 1. CORS middleware order: Starlette add_middleware is last-in/outermost. CORS was added first (innermost) and auth second (outermost), so auth returned 401 responses before CORS could add Access-Control-Allow-Origin headers. Browsers saw a CORS error and fetch() threw 'Failed to connect to Backlogia'. Fixed by adding auth first, CORS last. 2. bookmarklet.js: Add credentials: 'include' to the GOG and Ubisoft import fetch() calls so the session cookie is sent cross-origin. 3. Exempt /api/import/* from auth. Cross-origin cookie sending is unreliable (third-party cookie restrictions vary by browser). These write-only endpoints accept game data the user is deliberately sending from their own browser — acceptable to leave unauthenticated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
With
ENABLE_AUTH=true, the GOG and Ubisoft bookmarklets fail to POST game data to Backlogia. The bookmarklets run on external domains (gog.com,ubisoft.com) and can't reliably send the Backlogia session cookie cross-origin.Two separate failure modes:
1. CORS middleware order
Starlette's
add_middlewareis last-in/outermost. CORS was added first (became innermost) and auth second (became outermost), so auth returned 401 responses before CORS could attachAccess-Control-Allow-Originheaders. The browser rejected the response as a CORS failure andfetch()threw — showing "Failed to connect to Backlogia" in the overlay.2. Authentication required
Even after fixing the order,
credentials: 'include'is required for the browser to send cookies on cross-origin requests, and third-party cookie restrictions in modern browsers make this unreliable regardless.Fix
Three changes:
CORS middleware order: add auth first (innermost), CORS last (outermost) so CORS headers wrap all responses including auth rejections.
credentials: 'include'on the GOG and Ubisoftfetch()calls inbookmarklet.js— best-effort, works where third-party cookies are allowed.Exempt
/api/import/*from auth in the middleware. These endpoints are write-only and accept game data the user is deliberately sending from their own authenticated browser session on the external site. Exempting them is the only reliably cross-browser solution.