New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading from 19.3.0 to 19.4.0 breaks fetch request #46287
Comments
Can you check v19.5.0? It contains several bug fixes that may be relevant. If it still doesn't work, can you post a test case that doesn't depend on third-party modules? Thanks. |
Thank you for the feedback. 19.5.0 also does not work. I am using the Node.js global fetch object. what could be the cause of the issue (I'm not sure how to replicate this)? |
Is there a redirect in your request? I suspect nodejs/undici#1780, which is related to the Authorization header. |
I think there is. How can I check this? |
Can you also include a demo server to reproduce your problem? The spec says that the |
It may be - I'm checking if there are redirects occurring with the person who manages the ORY Hydra service |
Which spec is it so that I can pass it on if necessary? |
|
You can use |
Thanks - yes. I can see that the res does get a redirect. However... in this case the redirect just adds a trailing slash to the URL. So:
Seems very strict dropping the Authorization header in this case... |
The authorization header isn't being dropped in your example because the port, hostname, and protocols are the same. Fetch doesn't check the path to ensure a url is from the same origin. Can you provide steps to reproduce the issue? |
It would be difficult to setup an example - as far as I know the only way to do this would be to duplicate the setup of the 3rd party service. I have asked for an oauth client that could be used to replicate this (the server is public). (Also there is a cloudflare proxy in the middle - not sure if that is a factor or what to check for) |
Also had a program break, on node 18.15.0. The script makes a I suspect that this may have been done for security reasons, and that there may be an option somewhere to change this behavior, but unfortunately the issue is exacerbated by a second problem: |
|
Dropping the Authorization header on cross-origin redirects is expected, see whatwg/fetch@9004f4e. |
The spec isn't a sufficient reason, unless there is much better documentation and warning around this. This diverges from the behavior of very-recent versions and still-used polyfills, in a way that breaks things. |
Fetch is marked as experimental, which means that "[t]he feature is not subject to semantic versioning rules. Non-backward compatible changes or removal may occur in any future release. Use of the feature is not recommended in production environments."1 Footnotes |
I guess my disagreement here is more with the specification change itself, rather than with its implementation in nodejs, so I made an issue on the |
Since this is spec conforming behavior, I'm going to go ahead and close this out as not-a-bug. |
I think there may be a bug here. In my case I just changed the URL. |
Version
v19.4.0
Platform
inux ZACH-SP4 5.15.79.1-microsoft-standard-WSL2 #1 SMP Wed Nov 23 01:01:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Subsystem
No response
What steps will reproduce the bug?
I have a simple fetch function that works fine using Node v19.3.0 (and earlier), but that breaks when I upgrade to Node v19.4.0:
Using Node < v19.3.0, the request to
SOME_SERVICE
always authenticates successfully. Node Node v19.4.0 thedata?.detail
log is alwaysNot authenticated
even though I am able to get the access token from the initial request.How often does it reproduce? Is there a required condition?
The above always occurs
What is the expected behavior?
It seems like the fetch implementation is changed in v19.4. Is this the case? At a guess it seems like something is being encoded differently between the two Node.js versions.
What do you see instead?
The fetch implementation seems to have changed
Additional information
No response
The text was updated successfully, but these errors were encountered: