Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: POST /pictrs/image not possible with CORS #3567

Closed
4 tasks done
aeharding opened this issue Jul 9, 2023 · 2 comments
Closed
4 tasks done

[Bug]: POST /pictrs/image not possible with CORS #3567

aeharding opened this issue Jul 9, 2023 · 2 comments
Labels
area: api bug Something isn't working

Comments

@aeharding
Copy link

Requirements

  • Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • Did you check to see if this issue already exists?
  • Is this only a single bug? Do not put multiple bugs in one issue.
  • Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

Currently a POST to /pictrs/image requires JWT to be in cookie header.

Web clients cannot set the cookie header.

Steps to Reproduce

  1. Given a valid JWT, try to POST a new image cross origin in the browser.
  2. Observe it is impossible.

Ideally, I would be able to send JWT as a query parameter.

Technical Details

N/A

Version

0.18.1

Lemmy Instance URL

No response
@aeharding aeharding added the bug Something isn't working label Jul 9, 2023
This was referenced Jul 9, 2023
Merged
Closed
@diamondburned
Copy link
Contributor

This is rather tedious. I'm not sure if the obvious fix (allow CORS credentials) is the right fix here for security reasons.

Is there no other way to pass the token to Pictrs? If we're currently using multipart forms for uploading, then a new form key could be introduced just for JSON data (including the JWT token).

An Authorization header would work best, but nothing in Lemmy currently even uses it. Everything seems to pass the token using the body or URL (which is not ideal at all).

This was referenced Jul 15, 2023
Closed
Closed
aeharding added a commit to aeharding/voyager that referenced this issue Jul 24, 2023
@aeharding
Add direct connect by default
4753853 
Note: Proxy server is still required due to
LemmyNet/lemmy#3567
aeharding added a commit to aeharding/voyager that referenced this issue Jul 24, 2023
@aeharding
Add direct connect by default
6c19300 
Note: Proxy server is still required due to
LemmyNet/lemmy#3567
@aeharding aeharding mentioned this issue Jul 24, 2023
Merged
aeharding added a commit to aeharding/voyager that referenced this issue Jul 24, 2023
@aeharding
Add direct connect by default (#517)
e16e260 
Note: Proxy server is still required due to
LemmyNet/lemmy#3567
@pbui pbui mentioned this issue Aug 3, 2023
Closed
@sheodox sheodox mentioned this issue Sep 7, 2023
Open
@Nutomic
Copy link
Member

Nutomic commented Sep 28, 2023

With #3818 Authorization: Bearer <jwt> header and auth cookie are supported for image upload.

@Nutomic Nutomic closed this as completed Sep 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: api bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Nutomic @aeharding @diamondburned @lionirdeadman