♻️ do not rely on cookies server-side, only work with the bearer header

fumeapp · Aug 13, 2024 · cff7e6f · cff7e6f
1 parent 870865f
commit cff7e6f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/app/composables/api.ts b/app/composables/api.ts
@@ -26,6 +26,7 @@ export const useApi = () => {
   }
 
   const fetch = $fetch.create({
+    headers: { Accept: 'application/json', Authentication: `Bearer: ${useCookie('token', cookieOptions).value}` },
     onResponse: ({ response }) => {
       if (silent.value) {
         silent.value = false

diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
@@ -5,9 +5,9 @@ export default defineEventHandler(async (event) => {
     '/api/token',
   ]
 
-  const cookies = parseCookies(event)
-  if (cookies.token && auth.verify(useRuntimeConfig(event), cookies.token) === true)
-    await auth.set(cookies.token)
+  const bearer = (event.node.req.headers.authentication as string)?.split(' ')[1] || undefined
+  if (bearer && auth.verify(useRuntimeConfig(event), bearer) === true)
+    await auth.set(bearer)
   if (gatedRoutes.some(route => getRequestURL(event).pathname.startsWith(route)))
     if (!auth.user())
       return metapi().error(event, 'Not Authenticated', 401)