Derive Lockr API Origin from Referer for first-party proxy#831
Closed
aram356 wants to merge 1 commit into
Closed
Conversation
The Lockr API rejects settings/identity requests that arrive without an
Origin header. Behind the first-party proxy, the browser's call to
/integrations/lockr/api is same-origin, so it sends no Origin — and the
proxy previously forwarded the request with none, causing the upstream to
return {"success":false,"error":{"code":400,"message":"Invalid request"}}.
That short-circuits the SDK's getAIMSettings() init (which gates on
success && data), so no settings, pvStatus, page-view, or identity tokens
follow.
Synthesize the publisher Origin from the page Referer when the request
carries no Origin and no origin_override is configured, and forward the
Referer upstream so the proxied request matches what a direct cross-origin
browser call would send. Precedence: origin_override, then request Origin,
then Referer-derived origin.
Collaborator
Author
|
Closing — the Origin theory was a misdiagnosis. Verified against the live upstream and the deployed server: the failure is the proxy not forwarding the POST body (upstream returns |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #832
Problem
Behind the first-party proxy, the Lockr
settingscall returns success-shaped HTTP 200 but a failure body:{"success":false,"error":{"code":400,"message":"Invalid request"}}The SDK's
getAIMSettings()only proceeds whensuccess === true && data, so the entire init chain short-circuits — no settings data, nopvStatus, nopage-view, and no identity tokens.Root cause
The Lockr identity API (
identity.loc.kr) requires the publisher'sOriginheader. When a browser calls the API directly it is cross-origin, so the browser attachesOriginautomatically. Behind the first-party proxy the browser calls/integrations/lockr/api/...on the same origin as the page, so it sends noOrigin.copy_request_headersonly setOriginfrom a configuredorigin_overrideor a pre-existing requestOrigin— neither present in the first-party case — so the proxied request reached the upstream with noOriginand was rejected.Verified by direct replay against the upstream: the same body with no
Originis rejected, while supplying the publisherOrigingets past that check.Fix
In the Lockr API proxy's
copy_request_headers:Originfrom the pageRefererwhen the request has noOriginand noorigin_overrideis configured. The same-origin call still carries aReferer(the page URL), whose origin is exactly the value a direct cross-origin call would have sent.Refererheader upstream so the proxied request matches a direct browser call.Precedence:
origin_override→ requestOrigin→Referer-derived origin.Testing
origin_override; andorigin_from_urlextraction (path/query/fragment stripped, scheme-less rejected).cargo test -p trusted-server-core lockr— 13 passed.cargo fmt --all -- --checkandcargo clippy -p trusted-server-core --all-features— clean.Verification note
End-to-end browser verification requires a deployment of this change (the live first-party endpoint runs the deployed build); the fix is covered by unit tests and an upstream replay that isolates
Originas the cause.