From 1f1c799cf74663b8c3c49948c0e7158c1f408b27 Mon Sep 17 00:00:00 2001 From: Jon Strutz Date: Fri, 3 Jan 2025 13:16:44 -0600 Subject: [PATCH] Allow APP_BASE to be an empty string when setting cookies - I originally set APP_BASE to '/' instead of '' because setting cookies requires the slash and I wanted to reuse the APP_BASE env var when setting cookies - However, this seems to cause problems with svelte which doesn't allow APP_BASE to end in a slash (even if it's just a single slash): see https://svelte.dev/docs/kit/configuration#paths - Changed the logic so that APP_BASE can be '' if desired and when setting cookies, we just set the path to '/' if APP_BASE is '' --- .env | 2 +- src/lib/server/auth.ts | 2 +- src/lib/server/providers/microsoft_entra/providerEntra.ts | 6 +++--- src/routes/login/callback/+server.ts | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.env b/.env index f82c16635b1..eb0b89eb265 100644 --- a/.env +++ b/.env @@ -180,7 +180,7 @@ ADMIN_API_SECRET=# secret to admin API calls, like computing usage stats or expo # These values cannot be updated at runtime # They need to be passed when building the docker image # See https://github.com/huggingface/chat-ui/main/.github/workflows/deploy-prod.yml#L44-L47 -APP_BASE="/" # base path of the app, e.g. /chat +APP_BASE= # base path of the app, e.g. /chat PUBLIC_APP_COLOR=blue # can be any of tailwind colors: https://tailwindcss.com/docs/customizing-colors#default-color-palette ### Body size limit for SvelteKit https://svelte.dev/docs/kit/adapter-node#Environment-variables-BODY_SIZE_LIMIT BODY_SIZE_LIMIT=15728640 diff --git a/src/lib/server/auth.ts b/src/lib/server/auth.ts index 09e10c57cae..7cae360faf6 100644 --- a/src/lib/server/auth.ts +++ b/src/lib/server/auth.ts @@ -211,7 +211,7 @@ export async function logout(cookies: Cookies, locals: App.Locals) { for (const cookie_name of cookie_names) { cookies.delete(cookie_name, { - path: env.APP_BASE, + path: env.APP_BASE || "/", // So that it works inside the space's iframe sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none", secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"), diff --git a/src/lib/server/providers/microsoft_entra/providerEntra.ts b/src/lib/server/providers/microsoft_entra/providerEntra.ts index d7c6ac69519..9a8bd1daed7 100644 --- a/src/lib/server/providers/microsoft_entra/providerEntra.ts +++ b/src/lib/server/providers/microsoft_entra/providerEntra.ts @@ -59,7 +59,7 @@ async function getAccessToken( }; cookies.set(ProviderCookieNames.ACCESS_TOKEN, JSON.stringify(accessToken), { - path: env.APP_BASE, + path: env.APP_BASE || "/", // So that it works inside the space's iframe sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none", secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"), @@ -68,7 +68,7 @@ async function getAccessToken( }); cookies.set(ProviderCookieNames.PROVIDER_PARAMS, JSON.stringify(newProviderParameters), { - path: env.APP_BASE, + path: env.APP_BASE || "/", // So that it works inside the space's iframe sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none", secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"), @@ -109,7 +109,7 @@ async function refreshMicrosoftGraphToken( }; cookies.set(ProviderCookieNames.ACCESS_TOKEN, JSON.stringify(refreshedAccessToken), { - path: env.APP_BASE, + path: env.APP_BASE || "/", // So that it works inside the space's iframe sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none", secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"), diff --git a/src/routes/login/callback/+server.ts b/src/routes/login/callback/+server.ts index be59fd4f03b..fc59a1b8835 100644 --- a/src/routes/login/callback/+server.ts +++ b/src/routes/login/callback/+server.ts @@ -89,7 +89,7 @@ async function handleLogin(requestEvent: RequestEvent) { httpOnly: true, secure: true, sameSite: "none", - path: env.APP_BASE, + path: env.APP_BASE || "/", } ); }