Skip to content

fix(carto): only attach Authorization header when accessToken is present#10373

Open
jatorre wants to merge 2 commits into
visgl:masterfrom
jatorre:fix/carto-conditional-auth-header
Open

fix(carto): only attach Authorization header when accessToken is present#10373
jatorre wants to merge 2 commits into
visgl:masterfrom
jatorre:fix/carto-conditional-auth-header

Conversation

@jatorre

@jatorre jatorre commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Background

TilejsonResult.accessToken is becoming optional in @carto/api-client (CartoDB/carto-api-client#298 adds a session auth mode where requests are authenticated by a same-origin session cookie behind a proxy, and no token ever reaches JavaScript — tile URLs come back rewritten onto the proxy base).

Today the CARTO tile layers and fetchMap's createLoadOptions build Authorization: Bearer ${tileJSON.accessToken} unconditionally, so a missing token produces the literal header Bearer undefined — which actively breaks cookie-session servers (they engage only when the Authorization header is absent) and sends a junk credential otherwise.

Change List

  • New getAuthFetchOptions(accessToken?) helper in modules/carto/src/utils.ts: returns the Bearer header when a token is present, or {credentials: 'same-origin'} when not (so the cookie rides along on same-origin tile requests).
  • Used at the 6 existing header sites: vector / h3 / quadbin / raster / cluster tile layers (getLoadOptions) and createLoadOptions in parse-map.ts (param widened to string | undefined).
  • No behavior change when a token is present (the default and existing path).

Verified: carto module suite green (28 files / 124 tests), monorepo lint 0 errors, prettier clean.


Note

Medium Risk
Touches authentication for all CARTO tile loads, but token-based flows are unchanged and the no-token path only avoids a broken header and enables cookie auth.

Overview
Centralizes tile and map fetch auth in getAuthFetchOptions, so missing accessToken no longer sends Authorization: Bearer undefined.

When a token exists, behavior is unchanged (Bearer header). When it does not—e.g. session/cookie auth via same-origin proxy URLs—the helper omits Authorization and sets credentials: 'same-origin' so cookies can authenticate requests.

parse-map createLoadOptions and all CARTO tile layers that set loadOptions.fetch (vector, H3, quadbin, raster, cluster) now use this helper instead of inlining the header.

Reviewed by Cursor Bugbot for commit 96a4490. Bugbot is set up for automated code reviews on this repo. Configure here.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 23430ad9ea

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

credentials?: RequestCredentials;
} {
if (!accessToken) {
return {credentials: 'same-origin'};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve caller-supplied fetch credentials

When accessToken is absent, every CARTO tile layer passes this object into mergeLoadOptions(super.getLoadOptions(), ...); because credentials is a primitive value, it overwrites any loadOptions.fetch.credentials the application supplied. This breaks configurations that intentionally use credentials: 'include' for cross-origin cookie auth or credentials: 'omit' for public requests, even though the intended fix only needs to omit the Authorization header. Returning an empty fetch-options object in the no-token case would avoid clobbering user fetch settings.

Useful? React with 👍 / 👎.

@jatorre

jatorre commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

@felixpalmer hey mate. Could you take a look?

@coveralls

Copy link
Copy Markdown

Coverage Status

coverage: 83.394% (+0.3%) from 83.112% — jatorre:fix/carto-conditional-auth-header into visgl:master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants