web: fix authentication when using `sg start web-standalone` (!28697) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge sg/fix-web-standalone into main Dec 07, 2021

Created by: slimsag

Prior to this change, the proxy server that sg start web-standalone uses to proxy requests to https://k8s.sgdev.org did not send an appropriate Origin header (it sent http://localhost:3080 or https://sourcegraph.test, NOT https://k8s.sgdev.org as we would expect.)

In #27313 (21 days ago) we hardened security by enforcing that requests to API endpoints that are not from trusted origins and do not have X-Requested-With will not be allowed to use session authentication. This introduced the issue for sg start web-standalone originally, and to workaround this @vovakulikov added X-Requested-With to all proxied requests in #27825

In #28572 (merged yesterday) I removed the proxy logic for CSRF tokens and due to a merge conflict also removed the X-Requested-With logic Vova had added.

Using X-Requested-With was a fine workaround-and bringing that logic back would've continued to workaround the issue-but sending the correct Origin header is better and will more closely mimic what is actually happening when code is deployed to production, so that is the fix I have made here.

Signed-off-by: Stephen Gutekanst [email protected]

web: fix authentication when using `sg start web-standalone`

Merge request reports