Skip to content
Snippets Groups Projects

web: fix authentication when using `sg start web-standalone`

Merged Warren Gifford requested to merge sg/fix-web-standalone into main

Created by: slimsag

Prior to this change, the proxy server that sg start web-standalone uses to proxy requests to https://k8s.sgdev.org did not send an appropriate Origin header (it sent http://localhost:3080 or https://sourcegraph.test, NOT https://k8s.sgdev.org as we would expect.)

In #27313 (21 days ago) we hardened security by enforcing that requests to API endpoints that are not from trusted origins and do not have X-Requested-With will not be allowed to use session authentication. This introduced the issue for sg start web-standalone originally, and to workaround this @vovakulikov added X-Requested-With to all proxied requests in #27825

In #28572 (merged yesterday) I removed the proxy logic for CSRF tokens and due to a merge conflict also removed the X-Requested-With logic Vova had added.

Using X-Requested-With was a fine workaround-and bringing that logic back would've continued to workaround the issue-but sending the correct Origin header is better and will more closely mimic what is actually happening when code is deployed to production, so that is the fix I have made here.

Signed-off-by: Stephen Gutekanst stephen@sourcegraph.com

Merge request reports

Merged by avatar (May 6, 2025 10:28am UTC)

Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading