ACCESS STATIC RESOURCE WILL CAUSE LOSING SESSION from EGG-PASSPORT

[minhthinhls]

What happens?

Currently I Enable Allowing Credentials from Client to enable Passport Deserialize Methods to run. If no Cookie it will not run !
But when a request with Static resources as Image fired to Server, the server will remove old session and response back to client new session (inside cookie) . Hence user got kicked out of session.

[egg-bot]

Hello @minhthinhls. Please provide a reproducible example following the instruction.

Issues labeled by Need Reproduce will be closed if no activities in 7 days.

---

@minhthinhls，请根据这个说明提供最小可复现代码。

如果在 7 天内没有进展会被自动关闭。

[minhthinhls]

Suppose I have an Axios Instance from CLIENT Side. Which been initialized with the following code. When I enable withCredential === true, the HTTP Instance will indeed tend to use cookie to store EGG_SESS, but that's the case for Request with POST and GET. Also when withCredentials === false, Egg-Passport will not trigger DESERIALIZE callback method in app.passport.deserialize(callback);
Then for the real case: I want to use the deserialize hook for intuitive code base. But since !!! When I load static resources, for example, image from egg server in directory ./app/public, and use withCredentials === true from HTTP CLient Side. The response Cookie for EGG_SESS will have different value and it override my old EGG_SESS, and thus kick me out of currently logged in state.

const httpInstance = axios.create({
	timeout: 60000,
	baseURL: CONFIG.http.baseURL,
	withCredentials: true, // <-- Please have a look into this flag.
	headers: {
		'Content-Type': 'application/json',
		'X-Requested-With': 'XMLHttpRequest',
	},
});
httpInstance.defaults.headers.common.isLoading = true;
httpInstance.defaults.headers.common.successAlert = false;
httpInstance.defaults.headers.common.errorAlert = true;
Object.setPrototypeOf(httpInstance, axios);

For Egg-Server, the following configuration inside config.default.ts will be

export default (appInfo: EggAppInfo): RecursivePartial<IEggAppConfig> => ({
  security: {
    csrf: false,
    domainWhiteList: ['*'],
  },

  /** @see {@link https://github.com/eggjs/egg-cors/blob/master/app.js/} */
  cors: {
    /** @type {function(ctx: Context): void} */
    origin: (ctx: Context): string => {
      /** - Origin is `${protocol}://${hostname}:${port}` !*/
      const origin = ctx.get('origin');
      /** Block Client Request when `Request Headers: Origin` got omitted !*/
      if (!origin) {
        return "";
      }

      if (typeof ctx.isSafeDomain !== 'function') {
        return origin;
      }

      /** @see {@link https://www.w3schools.com/nodejs/nodejs_url.asp} */
      const parsedUrl = new URL(origin);
      if (ctx.isSafeDomain(parsedUrl.hostname) || ctx.isSafeDomain(origin)) {
        return origin;
      }

      /** Default Blocking Unsafe Request from Client !*/
      return "";
    },
    credentials: true,
    allowMethods: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE', 'PATCH', 'OPTIONS'].join(","),
    allowHeaders: [
      'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials',
      'Accept', 'Authorization', 'Content-Type', 'X-Requested-With', 'Origin',
      'cancelRequest', 'errorAlert', 'successAlert', 'isLoading', 'responseType', 'token',
    ].join(","),
    exposeHeaders: 'Content-Disposition',
  },
});