Allow APP_BASE to be an empty string when setting cookies

- I originally set APP_BASE to '/' instead of '' because setting cookies requires the slash and I wanted to reuse the APP_BASE env var when setting cookies - However, this seems to cause problems with svelte which doesn't allow APP_BASE to end in a slash (even if it's just a single slash): see https://svelte.dev/docs/kit/configuration#paths - Changed the logic so that APP_BASE can be '' if desired and when setting cookies, we just set the path to '/' if APP_BASE is ''
huggingface · Jan 6, 2025 · 1f1c799 · 1f1c799
1 parent 9935f4f
commit 1f1c799
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 6 deletions.
diff --git a/.env b/.env
@@ -180,7 +180,7 @@ ADMIN_API_SECRET=# secret to admin API calls, like computing usage stats or expo
 # These values cannot be updated at runtime
 # They need to be passed when building the docker image
 # See https://github.com/huggingface/chat-ui/main/.github/workflows/deploy-prod.yml#L44-L47
-APP_BASE="/" # base path of the app, e.g. /chat
+APP_BASE= # base path of the app, e.g. /chat
 PUBLIC_APP_COLOR=blue # can be any of tailwind colors: https://tailwindcss.com/docs/customizing-colors#default-color-palette
 ### Body size limit for SvelteKit https://svelte.dev/docs/kit/adapter-node#Environment-variables-BODY_SIZE_LIMIT
 BODY_SIZE_LIMIT=15728640

diff --git a/src/lib/server/auth.ts b/src/lib/server/auth.ts
@@ -211,7 +211,7 @@ export async function logout(cookies: Cookies, locals: App.Locals) {
 
 	for (const cookie_name of cookie_names) {
 		cookies.delete(cookie_name, {
-			path: env.APP_BASE,
+			path: env.APP_BASE || "/",
 			// So that it works inside the space's iframe
 			sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 			secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),

diff --git a/src/lib/server/providers/microsoft_entra/providerEntra.ts b/src/lib/server/providers/microsoft_entra/providerEntra.ts
@@ -59,7 +59,7 @@ async function getAccessToken(
 	};
 
 	cookies.set(ProviderCookieNames.ACCESS_TOKEN, JSON.stringify(accessToken), {
-		path: env.APP_BASE,
+		path: env.APP_BASE || "/",
 		// So that it works inside the space's iframe
 		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),
@@ -68,7 +68,7 @@ async function getAccessToken(
 	});
 
 	cookies.set(ProviderCookieNames.PROVIDER_PARAMS, JSON.stringify(newProviderParameters), {
-		path: env.APP_BASE,
+		path: env.APP_BASE || "/",
 		// So that it works inside the space's iframe
 		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),
@@ -109,7 +109,7 @@ async function refreshMicrosoftGraphToken(
 	};
 
 	cookies.set(ProviderCookieNames.ACCESS_TOKEN, JSON.stringify(refreshedAccessToken), {
-		path: env.APP_BASE,
+		path: env.APP_BASE || "/",
 		// So that it works inside the space's iframe
 		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
 		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),

diff --git a/src/routes/login/callback/+server.ts b/src/routes/login/callback/+server.ts
@@ -89,7 +89,7 @@ async function handleLogin(requestEvent: RequestEvent) {
 				httpOnly: true,
 				secure: true,
 				sameSite: "none",
-				path: env.APP_BASE,
+				path: env.APP_BASE || "/",
 			}
 		);
 	}