Skip to content

Commit eec5ab9

Browse files
Merge pull request #151 from InstaNode-dev/fix/login-callback-no-accept-header
fix(login): drop Accept header — /auth/exchange POST blocked by CORS preflight (P0 follow-up)
2 parents bb5bbac + 45b368e commit eec5ab9

2 files changed

Lines changed: 14 additions & 1 deletion

File tree

src/pages/LoginCallbackPage.test.tsx

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,13 @@ describe('LoginCallbackPage', () => {
107107
expect(init.method).toBe('POST')
108108
expect(init.credentials).toBe('include')
109109
expect(api.setToken).toHaveBeenCalledWith('xyz')
110+
// Regression guard: NO custom request headers. A POST with only
111+
// safelisted headers + credentials:include is a "simple cross-origin
112+
// request" and avoids a CORS preflight. Adding Accept or Content-Type
113+
// would force an OPTIONS preflight that the api's PreflightAllowlist
114+
// rejects (those headers aren't in corsAllowHeaders), surfacing as
115+
// "Failed to fetch" in the browser.
116+
expect(init.headers).toBeUndefined()
110117
})
111118

112119
it('AUTH-004: exchange non-2xx surfaces the api error message', async () => {

src/pages/LoginCallbackPage.tsx

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,16 @@ import { setToken, fetchMe, getAPIBaseURL } from '../api'
1616
// api/internal/handlers/auth.go appendSessionToken docstring).
1717
async function exchangeCookieForToken(): Promise<string> {
1818
const apiBase = getAPIBaseURL()
19+
// DELIBERATE: no custom headers (no Accept, no Content-Type). A POST
20+
// with only safelisted headers + credentials:include is a "simple
21+
// cross-origin request" per the CORS spec — no preflight. Adding
22+
// Accept:application/json would force an OPTIONS preflight that the
23+
// api's PreflightAllowlist rejects (Accept not in corsAllowHeaders),
24+
// returning 403 → "Failed to fetch" in the browser. The api returns
25+
// JSON regardless of the request Accept header.
1926
const resp = await fetch(`${apiBase}/auth/exchange`, {
2027
method: 'POST',
2128
credentials: 'include',
22-
headers: { Accept: 'application/json' },
2329
})
2430
if (!resp.ok) {
2531
let detail = ''

0 commit comments

Comments
 (0)