x-ms-client-principal header not included when request rewritten to API via navigationFallback
#1053
Comments
|
Hey @geoffrich! Thanks for the feedback and the great work on svelte-adapter-azure-swa. We'll look into this |
|
Thanks! It's worth noting that the issue I report here only happens on the deployed site - when running the demo locally with the SWA CLI, I get the header back in all cases. |
|
Just ran into the same issue - here is a demo repository to reproduce this: https://github.com/derkoe/azure-swa-auth-issue-with-nav-fallback (here is the deployed version https://proud-moss-0ed9eb403-test.westeurope.1.azurestaticapps.net/) |
|
There is a workaround for this:
Here is an example for this: {
"navigationFallback": {
"rewrite": "/api/render"
},
"routes": [
{
"route": "/manifest.json"
},
{
"route": "/service-worker.js"
},
{
"route": "/robots.txt"
},
{
"route": "/static/*"
},
...
{
"route": "*",
"allowedRoles": ["authenticated"]
}
]
} |
|
Hi @derkoe and @geoffrich, this has now been fixed and you can access the x-ms-client-principal in requests rewritten to an api path. I've forked and edited your repo derkoe, and here it is working: https://github.com/thomasgauvin/azure-swa-auth-issue-with-nav-fallback Try it out! https://yellow-ocean-03d2d7403.3.azurestaticapps.net/thisisa404 |
|
Thx @thomasgauvin - it seems to work now in my application without the workaround. |
|
Excellent, thanks for the confirmation @derkoe, closing this issue |
|
Hi all, I can't share our application code with this thread as it's internal, but this only happens in one of our 2 environments. What is the best way to get this sorted? Edit: I tried @derkoe's suggestion and it still looks like around 30-40% of my API requests are forwarded to my container app without the |
|
I am also experiencing the same issue as @MykalMachon in a Azure SWA which is receiving 401 Unauthorized responses from a connected Azure Container App which host our APIs. Is there an easy to prevent this intermittent issue? Issue also raised at: https://learn.microsoft.com/en-us/answers/questions/1635634/x-ms-client-principal-header-not-included-in-reque |
Describe the bug
The
x-ms-client-principalheader is not consistently sent to the Static Web App's API function. In particular, when the request is rewritten to the API route vianavigationFallbackand the route does not have anallowedRoles, the header is not present.If the route does have an
allowedRolesor if the route is rewritten to the API route outside ofnavigationFallback, then the header is present.To Reproduce
live demo
demo repo
Given a Static Web App with an Azure Function API available at
/api/auth-test, an index.html file, and the following config:{ "routes": [ { "route": "/api-rewrite", "rewrite": "/api/auth-test" }, { "route": "/protected", "allowedRoles": ["authenticated"] } ], "navigationFallback": { "rewrite": "/api/auth-test" } }/api/auth-test(the API function),/api-rewrite(which rewrites the request viaroutes), and/protected(which rewrites the request vianavigationFallbackand has anallowedRoles) all correctly rewrite the request to the API function at/api/auth-testand include the x-ms-client-principal header/whatever(which rewrites the request to the API function vianavigationFallbackand does not have anallowedRoles) does not include the x-ms-client-principal headerYou can clearly see this on my demo site linked above. The API function returns the
x-ms-client-principalheaders it receives.Expected behavior
The
x-ms-client-principalheader is provided for all requests to the API.Screenshots
n/a
Device info (if applicable):
n/a
Additional context
I maintain the SvelteKit integration for Azure Static Web Apps, svelte-adapter-azure-swa. This issue is preventing SvelteKit users from getting consistent access to authentication info via the
x-ms-client-principalheader.The adapter works by rewriting requests in
navigationFallbackto an Azure function that runs the SvelteKit request handler to server-side render the page, among other things. If the requested route is not present in the SWA route config with anallowedRolesspecified, then the request does not have access to authentication info via the header.The text was updated successfully, but these errors were encountered: