From 5d96554365745b0c97cbc69792fb95728c179053 Mon Sep 17 00:00:00 2001 From: Oliwia Rogala Date: Fri, 3 Oct 2025 10:43:04 +0200 Subject: [PATCH] fix(auth): ensure schema is immutable when authorizing --- src/core/plugins/auth/wrap-actions.js | 4 +++- test/unit/core/plugins/auth/wrap-actions.js | 24 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/core/plugins/auth/wrap-actions.js b/src/core/plugins/auth/wrap-actions.js index 4c4026069e2..b7f12b342dc 100644 --- a/src/core/plugins/auth/wrap-actions.js +++ b/src/core/plugins/auth/wrap-actions.js @@ -1,6 +1,7 @@ /** * @prettier */ +import { fromJS } from "immutable" /** * `authorize` and `logout` wrapped actions provide capacity @@ -18,7 +19,8 @@ export const authorize = (oriAction, system) => (payload) => { // create cookie try { - const [{ schema, value }] = Object.values(payload) + const [{ schema: payloadSchema, value }] = Object.values(payload) + const schema = fromJS(payloadSchema) const isApiKeyAuth = schema.get("type") === "apiKey" const isInCookie = schema.get("in") === "cookie" const isApiKeyInCookie = isApiKeyAuth && isInCookie diff --git a/test/unit/core/plugins/auth/wrap-actions.js b/test/unit/core/plugins/auth/wrap-actions.js index cd1327d7be2..f9f3b98575c 100644 --- a/test/unit/core/plugins/auth/wrap-actions.js +++ b/test/unit/core/plugins/auth/wrap-actions.js @@ -42,6 +42,30 @@ describe("Cookie based apiKey persistence in document.cookie", () => { ) }) + it("should persist cookie in document.cookie if schema is a plain object", () => { + const system = { + getConfigs: () => ({ + persistAuthorization: true, + }), + } + const payload = { + api_key: { + schema: { + type: "apiKey", + name: "apiKeyCookie", + in: "cookie", + }, + value: "test", + }, + } + + authorize(jest.fn(), system)(payload) + + expect(document.cookie).toEqual( + "apiKeyCookie=test; SameSite=None; Secure" + ) + }) + it("should delete cookie from document.cookie", () => { const payload = fromJS({ api_key: {