Skip to content

Fix incorrect args and request method#421

Open
radishmouse wants to merge 2 commits into
mainfrom
fix/incorrect-call-to-oidc-authenticate
Open

Fix incorrect args and request method#421
radishmouse wants to merge 2 commits into
mainfrom
fix/incorrect-call-to-oidc-authenticate

Conversation

@radishmouse

@radishmouse radishmouse commented Jan 7, 2026

Copy link
Copy Markdown
Collaborator

While investigating #407, I noticed that the API call to auth/oidc/authenticate was incorrect.

  • Updated both the caller and the route to POST.
  • Removed unused headers.

Side note:
I haven't looked into it, but I suspect that the headers are added by oidc-client-ts and our api.call() function automatically includes the headers.

The backend automatically extracts and uses the auth token from the headers via the requireOIDCAuth middleware.

@radishmouse radishmouse requested a review from aaspinwall January 7, 2026 22:50

@aaspinwall aaspinwall left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! We definitely should change get to post but I think we should split the difference and keep the authorization token on the post request. Since the header is getting requested and sent, it means it's not contained in the api store yet.

@radishmouse

Copy link
Copy Markdown
Collaborator Author

Nice catch! We definitely should change get to post but I think we should split the difference and keep the authorization token on the post request. Since the header is getting requested and sent, it means it's not contained in the api store yet.

I think this needs some more investigation-
Something is already adding the token to the header on outgoing requests (maybe the oidc-client-ts library, when we call userManager.signinCallback()).

Meaning, the backend is able to extract and validate the auth token, even if we don't pass it as an argument to api.call()

I definitely prefer it being explicit (passing it to api.call()), but I also don't want to pretend like that's actually where the token is coming from.

I'll look more closely at what's happening with oidc-client-ts and follow up.

@radishmouse radishmouse changed the title Fix incorrect args, remove unused headers Fix incorrect args and request method Jan 23, 2026
@radishmouse

Copy link
Copy Markdown
Collaborator Author

@aaspinwall I've restored the header w/token.
So the only real change in this PR is fixing the arguments and changing the request type (on the client and on the server) for the route.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants