You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While developing a todo list app, I discovered inconsistent behavior with SvelteKit’s internal fetch wrapper.
Environment & Context
Backend runs on port 8080; SvelteKit runs on port 5173.
Authentication is cookie-based; cookies issued by the backend are maintained by the client.
Issue
Here is a simple example:
// +page.jsexportasyncfunctionload({ fetch }){constresponse=awaitfetch(`http://localhost:8080/api/members/${user.sub}/todos`,{// credentials: 'include' must be enabled to avoid a 401 error after form submission.});consttodoPage=awaitresponse.json();return{ todoPage };}
During the initial page load (both server-side and client-side), this code works correctly.
However, after submitting a form using <form method="POST" use:enhance>, subsequent page reloads cause fetch to exclude cookies, resulting in a 401 authentication error from the backend.
Summary of the Problem
Initially, cookies are automatically included on both server and client requests. But after form submission, fetch behaves like the browser's native fetch without including cookies.
Ultimately, credentials: 'include' must be explicitly specified for all fetch requests, contradicting the original purpose of SvelteKit's wrapped fetch (automatically forwarding client headers).
Suggestions
Clearly document when and how the internal SvelteKit fetch or the browser’s native fetch is used, including explicit scenarios.
While it's appropriate from a security perspective for browsers to exclude cookies by default, SvelteKit's internal fetch should either explicitly require credentials: 'include' consistently or behave consistently by default.
Please share any alternative solutions or additional thoughts.
Thank you!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Description
While developing a todo list app, I discovered inconsistent behavior with SvelteKit’s internal fetch wrapper.
Environment & Context
Issue
Here is a simple example:
<form method="POST" use:enhance>
, subsequent page reloads cause fetch to exclude cookies, resulting in a 401 authentication error from the backend.Summary of the Problem
credentials: 'include'
must be explicitly specified for all fetch requests, contradicting the original purpose of SvelteKit's wrapped fetch (automatically forwarding client headers).Suggestions
credentials: 'include'
consistently or behave consistently by default.Please share any alternative solutions or additional thoughts.
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions