feat(evlog): allow to configure request credentials in browser drain

MrLightful · MrLightful · commit fedb54c9d8ec · 2026-03-24T00:47:38.000+01:00
diff --git a/apps/docs/content/4.adapters/11.browser.md b/apps/docs/content/4.adapters/11.browser.md
@@ -90,6 +90,7 @@ const drain = pipeline(transport)
 | `headers` | - | Custom headers sent with each `fetch` request (e.g. `Authorization`, `X-API-Key`) |
 | `timeout` | `5000` | Request timeout in milliseconds |
 | `useBeacon` | `true` | Use `sendBeacon` when the page is hidden |
+| `credentials` | `'same-origin'` | Fetch credentials mode (`'omit'`, `'same-origin'`, `'include'`). Set to `'include'` for cross-origin endpoints |
 
 ### `BrowserLogDrainOptions`
 
@@ -123,7 +124,7 @@ const drain = createBrowserLogDrain({
 ```
 
 ::callout{icon="i-lucide-shield-alert" color="warning"}
-`headers` are applied to `fetch` requests only. The `sendBeacon` API does not support custom headers, so when the page is hidden and `sendBeacon` is used, headers are not sent. If your endpoint requires authentication, consider validating via a session cookie (`credentials: 'same-origin'` is set by default) or disable `sendBeacon` with `useBeacon: false`.
+`headers` are applied to `fetch` requests only. The `sendBeacon` API does not support custom headers, so when the page is hidden and `sendBeacon` is used, headers are not sent. If your endpoint requires authentication, consider validating via a session cookie (set `credentials: 'include'` for cross-origin endpoints, defaults to `'same-origin'`) or disable `sendBeacon` with `useBeacon: false`.
 ::
 
 ## Server Endpoint
diff --git a/packages/evlog/src/browser.ts b/packages/evlog/src/browser.ts
@@ -11,6 +11,8 @@ export interface BrowserDrainConfig {
   timeout?: number
   /** Use sendBeacon when the page is hidden. @default true */
   useBeacon?: boolean
+  /** Fetch credentials mode. @default 'same-origin' */
+  credentials?: RequestCredentials
 }
 
 export interface BrowserLogDrainOptions {
@@ -39,7 +41,7 @@ export interface BrowserLogDrainOptions {
  * ```
  */
 export function createBrowserDrain(config: BrowserDrainConfig): (batch: DrainContext[]) => Promise<void> {
-  const { endpoint, headers: customHeaders, timeout = 5000, useBeacon = true } = config
+  const { endpoint, headers: customHeaders, timeout = 5000, useBeacon = true, credentials = 'same-origin' } = config
 
   return async (batch: DrainContext[]): Promise<void> => {
     if (batch.length === 0) return
@@ -70,7 +72,7 @@ export function createBrowserDrain(config: BrowserDrainConfig): (batch: DrainCon
         body,
         signal: controller.signal,
         keepalive: true,
-        credentials: 'same-origin',
+        credentials,
       })
 
       if (!response.ok) {
diff --git a/packages/evlog/test/browser.test.ts b/packages/evlog/test/browser.test.ts
@@ -58,6 +58,15 @@ describe('createBrowserDrain', () => {
     })
   })
 
+  it('uses custom credentials mode', async () => {
+    const drain = createBrowserDrain({ endpoint: '/api/logs', credentials: 'include' })
+
+    await drain([createTestContext(1)])
+
+    const [, options] = vi.mocked(fetch).mock.calls[0]!
+    expect(options?.credentials).toBe('include')
+  })
+
   it('skips empty batches', async () => {
     const drain = createBrowserDrain({ endpoint: '/api/logs' })
 
