Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fetch Calls Removes Authorization Header

See original GitHub issue

This is a duplicate of #1822, and similar to the issue with xhr sandbox in #1016.

We use the Authorization header to pass our JWT token to our backend API. We use fetch, with mode: 'cors', and whitelist the Authorization header in the preflight response using access-control-allow-headers.

This works as expected under normal conditions, and chrome will issue a preflight and pass our Authorization header in the subsequent GET.

However, in hammerhead, the header is stripped out in transform.ts/transformAuthorizationHeader().

The server request then gets a 401, as it’s unauthorized, and hammerhead gives a 222 response to the browser.

Curiously, there also doesn’t appear to be a preflight, although both chrome and firefox issue one without the proxy in place. hammerhead should issue a preflight, as “the request includes any headers other than those which the Fetch spec defines as being a CORS-safelisted request-header”

The fix in #1016 was to prefix the header with AUTHORIZATION.valuePrefix, then strip it out during the header transforms. It looks like this would apply equally well to fetch as it does to xhr.

We also can’t seem to find any combination of fetch params that will force hammerhead to issue a preflight.

Issue Analytics

State:
Created 4 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

2reactions

LavrovArtemcommented, May 20, 2019

Thank you for the additional information. I’ve reproduced this issue.

1reaction

matthias-bcommented, May 23, 2019

@LavrovArtem thanks for such a prompt fix! You are awesome.

After much trial and error, we implemented a simple workaround in the meantime, shifting our cache setting from the fetch to the request, like so:

fetch(new Request('http://localhost:2020/fetch', { method: 'GET', headers: { 'Authorization': '123' }, mode: 'cors', cache: 'no-cache' }))

Top Results From Across the Web

Using an authorization header with Fetch in React Native

Example fetch with authorization header: fetch('URL_GOES_HERE', { method: 'post', headers: new Headers({ 'Authorization': 'Basic ...

How do I send requests using JavaScript Fetch API? - ReqBin

You can pass HTTP headers to the fetch() request as the second parameter. For example, to pass the Bearer Token Authorization Header, call...

Set Authorization Header for API Requests if User Logged In

This is a quick example of how to automatically set the HTTP Authorization header for requests sent with fetch() from React to an...

remove authorization header on redirect to different host #1

request removes the authorization header while redirecting if the host changes: ... node-fetch is still sending all the headers, which...

Using the Fetch API - MDN Web Docs

Instead, as soon as the server responds with headers, the Promise will resolve normally (with the ok property of the response set to...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Fetch Calls Removes Authorization Header

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Tetcases are failing due to creating mapbox Icons

Salesforce custom lightning components not visible to testcafe