fix(auth): preserve raw BetterAuth cookie token for session lookup
All checks were successful
ci/woodpecker/push/api Pipeline was successful
All checks were successful
ci/woodpecker/push/api Pipeline was successful
This commit is contained in:
@@ -426,6 +426,21 @@ describe("AuthService", () => {
|
||||
});
|
||||
});
|
||||
|
||||
it("should preserve raw cookie token value without URL re-encoding", async () => {
|
||||
const auth = service.getAuth();
|
||||
const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
|
||||
auth.api = { getSession: mockGetSession } as any;
|
||||
|
||||
const result = await service.verifySession("tok/with+=chars=");
|
||||
|
||||
expect(result).toEqual(mockSessionData);
|
||||
expect(mockGetSession).toHaveBeenCalledWith({
|
||||
headers: {
|
||||
cookie: "__Secure-better-auth.session_token=tok/with+=chars=",
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
it("should fall back to Authorization header when cookie-based lookups miss", async () => {
|
||||
const auth = service.getAuth();
|
||||
const mockGetSession = vi
|
||||
|
||||
@@ -150,22 +150,20 @@ export class AuthService {
|
||||
}
|
||||
|
||||
private buildSessionHeaderCandidates(token: string): SessionHeaderCandidate[] {
|
||||
const encodedToken = encodeURIComponent(token);
|
||||
|
||||
return [
|
||||
{
|
||||
headers: {
|
||||
cookie: `__Secure-better-auth.session_token=${encodedToken}`,
|
||||
cookie: `__Secure-better-auth.session_token=${token}`,
|
||||
},
|
||||
},
|
||||
{
|
||||
headers: {
|
||||
cookie: `better-auth.session_token=${encodedToken}`,
|
||||
cookie: `better-auth.session_token=${token}`,
|
||||
},
|
||||
},
|
||||
{
|
||||
headers: {
|
||||
cookie: `__Host-better-auth.session_token=${encodedToken}`,
|
||||
cookie: `__Host-better-auth.session_token=${token}`,
|
||||
},
|
||||
},
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user