refactor: DATA-12840 Avoid passing auth poken as a part of request query params#71
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
79baf62 to
52504ef
Compare
|
Hey @bc-donfran, |
|
Hey @bc-rmalyavc! That should be fine! |
3043f5d to
18d9d2c
Compare
solofeed
left a comment
There was a problem hiding this comment.
Given Google’s updated stance on not fully phasing out third‑party cookies, introducing an additional exchange-token load flow feels like unnecessary complexity.
Instead of layering a temporary token store and redirect indirection, we should revert PR #48 and restore a secure HttpOnly cookie. This keeps the auth token out of URLs, reduces Firestore load, and simplifies maintenance.
Reverting is cleaner than maintaining an exchange mechanism
Also, it makes sense to discuss with Keith overall view and strategy for that app. It feels like we would want to build better UX and more feature functionality
|
@bc-rmalyavc thanks for clarification |
What/Why?
We've previously migrated from the approach where we stored auth token in cookies to query params based. Because of the 3rd party cookies deprecation. Now passing the actual token as a part of query params is not safe, so we needed to come up with a more secure approach. Since we use
NextResponse.redirectmethod in theload/routewe can not pass it in headers or request body. So that the new flow is the followingloadroute we still generate the auth token as we did beforeexchangeToken, by which we can retrieve the actual auth token. It has a short TTL (currently 2 minutes and may be reduced)NextResponse.redirecthappens as usual though this time we append this temporary exchangeToken to the URL query parameters (it is the only way we can pass something to the next route)src/app/productDescription/[productId]/page.tsxpage where we generate the actual form. Here we get theexchangeTokenfrom query params and fetch the actualauthTokenfrom firebase. It can be retrieved only once and then immediately gets removed from firebase.Generator(and thenForm) component. We pass the token into the component as an attribute (as we previously did)api/GenerateDescriptionroute. Previously we passed the token here as a query param too. With this change we pass it in headers instead and get from headers on the API side.Rollout/Rollback
Merge/revert
Testing
Generate descriptionbutton and verified that auth token is not passed as a part of request url, but is passed through a request headerScreen.Recording.2025-09-11.at.15.16.42.mov
After merge tested the same flow including uninstall/install on production. Confirmed that everything works as expected
@bigcommerce/team-data