New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POST request JSON must be added to req after the attachment of cookies--why? #352
Comments
I ran into a similar problem. It seems like it's not that attachCookies is interfering with setting the JSON, but the other way around - using send() breaks subsequent attachCookies() calls. If you look at https://github.com/visionmedia/superagent/blob/master/lib/node/index.js, you can see that Request.prototype.send calls this.request() which adds the cookies to the header, but also caches its result: Request.prototype.request = function(){
if (this.req) return this.req;
...
// add cookies
if (this.cookies) req.setHeader('Cookie', this.cookies); Which explains why attachCookies() must be called before send() or in fact before anything else that internally calls this.request(), otherwise a version of the headers without the cookies will be cached and returned on all subsequent calls. |
@mjomble Thanks for that clear explanation! |
Perhaps the issue should remain open as it's fairly unexpected and undocumented behavior. Ideally it should work regardless of the order of send() and attachCookies() or at least throw an error if you're using them in an unsupported order, rather than discarding the cookies silently. |
👍 |
1 similar comment
+1 |
Where is any of this saveCookies/attachCookies stuff documented? I don't see any of it in https://github.com/visionmedia/superagent/blob/master/test/node/agency.js Furthermore, depending on its behavior to be used externally at all is a defect, since these functions are specifically marked "private" in the comments preceding their definition. |
Also, this means that |
The following test passes:
However, simply swapping the attachment of cookies with the setting of the JSON causes the test to fail--the server responds with 403. That is, the following fails:
When I look on the server (express proxied by nginx, using the express.csrf middleware) to see what is going on, in the unsuccessful case the secret loaded from req.session.csrfSecret, which is used to match the X-XSRF-TOKEN header, is undefined. In the successful case, the secret loaded from req.session.csrfSecret is exactly what it should be, namely the secret created by the GET request to /getsomecookies.
Interestingly, if I make the POST request without trying to send any JSON, I at least don't get a 403 response (though the test would fail with a 400 because I didn't provide any JSON for the server to do something with). That is, this works too:
So, what is it about attachCookies that is interfering with the setting of the JSON sent in the request? Clearly the server is seeing something different in each case. Is this problem documented anywhere?
The text was updated successfully, but these errors were encountered: