-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF token API for service worker #2791
Comments
Let's rather aim at enabling the actual endpoint calls instead of low-level wrappers such as |
After fixing #2867 we could introduce CSRF headers to the worker context just after the Service Worker registration by reading them from initial load cookies.
In the generated
In the An enhancement would be to add an event or callback so users could call endpoints only after the CSRF tokens are acquired, like already proposed:
|
We can skip adding the callback API and make requests wait for the token internally. |
IT tests could use |
Depends on #2867 |
Describe your motivation
Related issue: #2788
In order to call Hilla endpoint methods, a CSRF token is needed. Currently, the CSRF token is available either from the document's meta header or a cookie and its use in the generated endpoints can be considered to be an implementation detail. If a Service Worker wants to call the endpoint method, the document is not available in its context and the invocation can't work; if the token is passed to the service worker, the endpoint call can still be made manually. However, right now, endpoint method calls from service workers require a lot of brittle boilerplate code.
Describe the solution you'd like
There's no one "best" approach, but an explicit framework-provided API would make service worker code more readable and less fragile.
For example, Hilla could create an indexedDb database that contains different configurations and values needed for a service worker to use endpoints. One of these values could be the CSRF token.
These values could be accessed via getter from e.g.
hilla-sw-connector
, which could contain a customfetch
implementation to include cookies and the CSRF token to abstract away the Hilla internal workings.Pseudo-code example:
Hilla side
A configuration setting could be used to tell Hilla to include
hilla-sw-connector
logic in the application.This could be e.g. injected into index.html
Describe alternatives you've considered
Alternative: modify
message
object so that a service worker'smessage
listener could access CSRF token, endpoint method path, and possibly more properties.Then provide a utility for determining that
message
is coming from Hillaor
Additional context
No response
The text was updated successfully, but these errors were encountered: