Dashboard session does not result in correct channelId passed to ctx of REST requests #4077
Description
Describe the bug
When opening a REST endpoint from the dashboard (e.g. to trigger a file download on a custom controller), the endpoint ctx has a different channelId than the one in the session/the one which is active in the dashboard.
This leads to permissions not being resolved correctly and database queries failing/misbehaving if they depend on the active channel.
To Reproduce
Steps to reproduce the behavior:
- Create REST endpoint in controller
- Add e.g. an action item in the Dashboard redirecting to the REST endpoint, or just login to the Dashboard and manually visit the REST endpoint.
- See output of context.
Expected behavior
The channelId of the currently active channel in the dashboard should be used in the request.
Actual behavior
The _default_channel channelId is resolved by the request.
Error logs
Output of ctx from such a request, notice the differing channelId in the ctx itself and in ctx.session (which is the one I would expect)
[server] <ref *2> RequestContext {
// ...
[server] vendureRequestContextMap: Map(1) { [AsyncFunction: download] => [Object] },
[server] vendureRequestContext: { default: [Circular *2], withTransactionManager: undefined },
[server] [Symbol(shapeMode)]: true,
[server] [Symbol(kCapture)]: false,
[server] [Symbol(kHeaders)]: {
[server] host: 'localhost:3000',
[server] connection: 'keep-alive',
[server] 'cache-control': 'max-age=0',
[server] 'sec-ch-ua': '"Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"',
[server] 'sec-ch-ua-mobile': '?0',
[server] 'sec-ch-ua-platform': '"macOS"',
[server] 'upgrade-insecure-requests': '1',
[server] 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36',
[server] accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
[server] 'sec-fetch-site': 'same-origin',
[server] 'sec-fetch-mode': 'navigate',
[server] 'sec-fetch-user': '?1',
[server] 'sec-fetch-dest': 'document',
[server] referer: 'http://localhost:3000/dashboard/orders/a554f206-ac4a-45fa-bccb-59800e53c4c3',
[server] 'accept-encoding': 'gzip, deflate, br, zstd',
[server] 'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
[server] cookie: 'session=eyJ0b2tlbiI6IjcyMTgxNTNlM2E3ZjUwY2MxMmM2ZTExNzY5OTA1Zjc2ZTA3NDdkNzMwOWE2MTAxMjA2OTI3NTRiMjg3YTZjNzgifQ==; session.sig=Q6OLhgAc_D-sKPRRgkIoSyY-RAY'
[server] },
[server] [Symbol(kHeadersCount)]: 34,
[server] [Symbol(kTrailers)]: null,
[server] [Symbol(kTrailersCount)]: 0
[server] },
[server] _apiType: 'custom',
[server] _channel: Channel {
[server] token: '73009jsocj6zgzf5ftob',
[server] createdAt: 2025-04-23T18:09:09.378Z,
[server] updatedAt: 2025-04-23T18:09:09.378Z,
[server] code: '__default_channel__',
[server] description: '',
[server] defaultLanguageCode: 'de',
[server] availableLanguageCodes: [ 'de' ],
[server] defaultCurrencyCode: 'EUR',
[server] availableCurrencyCodes: [ 'EUR' ],
[server] trackInventory: true,
[server] outOfStockThreshold: 0,
[server] pricesIncludeTax: false,
[server] id: 'c58f590c-1832-4ec2-b869-8adbe6d0b411',
[server] sellerId: '7da9c62c-d99e-4397-a6dc-3cf1b81bc5f5',
[server] customFields: CustomChannelFields {
[server] accessMode: 'public',
[server] allowGuestOrdering: true,
[server] displayOrder: 0
[server] },
[server] defaultShippingZone: Zone {
[server] createdAt: 2025-12-21T14:05:55.162Z,
[server] updatedAt: 2025-12-21T14:05:55.162Z,
[server] name: 'Deutschland',
[server] id: '0bf41449-4483-4651-91f4-328ad3d8a0ee'
[server] },
[server] defaultTaxZone: Zone {
[server] createdAt: 2025-12-21T14:05:55.162Z,
[server] updatedAt: 2025-12-21T14:05:55.162Z,
[server] name: 'Deutschland',
[server] id: '0bf41449-4483-4651-91f4-328ad3d8a0ee'
[server] }
[server] },
[server] _session: {
[server] cacheExpiry: 1766403773.832,
[server] id: 'fbd4ad72-c80c-4056-843d-07cb66da49fa',
[server] token: '7218153e3a7f50cc12c6e11769905f76e0747d7309a610120692754b287a6c78',
[server] expires: 2026-12-22T17:04:20.717Z,
[server] activeOrderId: null,
[server] activeChannelId: 'd8af690e-f4f1-40e4-84c6-954c2777a928',
[server] authenticationStrategy: 'native',
[server] user: {
[server] id: 'bdf7f0ae-fa61-4763-80a9-291e3b746775',
[server] identifier: 'test',
[server] verified: true,
[server] channelPermissions: [Array]
[server] }
[server] },
[server] _languageCode: 'de',
[server] _currencyCode: 'EUR',
[server] _isAuthorized: false,
[server] _authorizedAsOwnerOnly: false,
[server] _translationFn: [Function (anonymous)]
[server] }
Environment (please complete the following information):
- @vendure/core version: v3.5.2
- Nodejs version: v22.14.0
- Database (mysql/postgres etc): postgres
- Operating System (Windows/macOS/Linux): macOS
- Browser (if applicable): Zen, Chrome
- Package manager (npm/yarn/pnpm): npm
Configuration
If relevant, share your Vendure configuration (remove sensitive data):
// Your configuration hereMinimal reproduction
If possible, provide a minimal code example or repository that reproduces the issue.
Workaround
If you found a temporary workaround, please describe it here.
Additional context
Add any other context about the problem here, such as:
- When did this issue start occurring?
- Does it happen consistently or intermittently?
- Any recent changes to your setup?