fix(auth): normalize API base URL to prevent refresh cookie path mismatch
When window.API_URL lacks a trailing slash, axios resolves relative URLs by stripping path segments, causing the refresh request to hit a different path than the cookie's Path attribute. The browser then omits the HttpOnly refresh cookie, silently breaking token renewal and logging users out after the short JWT TTL expires. Extract a getApiBaseUrl() helper that ensures baseURL always ends with '/' so relative URL resolution preserves the full path, matching the cookie scope. Ref: #2391
This commit is contained in:
parent
6299bea794
commit
fd8a8ecba2
|
|
@ -3,9 +3,17 @@ import type {AxiosRequestConfig} from 'axios'
|
|||
import {getToken, refreshToken} from '@/helpers/auth'
|
||||
import {AUTH_TYPES} from '@/modelTypes/IUser'
|
||||
|
||||
/**
|
||||
* Returns the API base URL with a guaranteed trailing slash.
|
||||
*/
|
||||
export function getApiBaseUrl(): string {
|
||||
const url = window.API_URL
|
||||
return url?.endsWith('/') ? url : url + '/'
|
||||
}
|
||||
|
||||
export function HTTPFactory() {
|
||||
const instance = axios.create({
|
||||
baseURL: window.API_URL,
|
||||
baseURL: getApiBaseUrl(),
|
||||
// Ensure the browser sends and accepts cookies (e.g. the HttpOnly
|
||||
// refresh token) even when the API is on a different origin.
|
||||
withCredentials: true,
|
||||
|
|
@ -14,7 +22,7 @@ export function HTTPFactory() {
|
|||
instance.interceptors.request.use((config) => {
|
||||
// by setting the baseURL fresh for every request
|
||||
// we make sure that it is never outdated in case it is updated
|
||||
config.baseURL = window.API_URL
|
||||
config.baseURL = getApiBaseUrl()
|
||||
|
||||
return config
|
||||
})
|
||||
|
|
|
|||
Loading…
Reference in New Issue