web: fix authentication when using `sg start web-standalone`
-
Review changes -
-
Download -
Patches
-
Plain diff
Created by: slimsag
Prior to this change, the proxy server that sg start web-standalone
uses to proxy requests to https://k8s.sgdev.org did not send an appropriate Origin
header (it sent http://localhost:3080
or https://sourcegraph.test
, NOT https://k8s.sgdev.org
as we would expect.)
In #27313 (21 days ago) we hardened security by enforcing that requests to API endpoints that are not from trusted origins and do not have X-Requested-With
will not be allowed to use session authentication. This introduced the issue for sg start web-standalone
originally, and to workaround this @vovakulikov added X-Requested-With
to all proxied requests in #27825
In #28572 (merged yesterday) I removed the proxy logic for CSRF tokens and due to a merge conflict also removed the X-Requested-With
logic Vova had added.
Using X-Requested-With
was a fine workaround-and bringing that logic back would've continued to workaround the issue-but sending the correct Origin
header is better and will more closely mimic what is actually happening when code is deployed to production, so that is the fix I have made here.
Signed-off-by: Stephen Gutekanst stephen@sourcegraph.com
Merge request reports
Activity
- Approvals
- Assignees & reviewers
- Comments (from bots)
- Comments (from users)
- Commits & branches
- Edits
- Labels
- Lock status
- Mentions
- Merge request status
- Tracking