From 81fc65e59b8f93906dabfe6d12a9341e77937831 Mon Sep 17 00:00:00 2001 From: Christian Byrne Date: Fri, 24 Oct 2025 18:31:38 -0700 Subject: [PATCH] [bugfix] fix auth service worker to handle cross-origin redirects to GCS (#6265) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Fixes CORS errors in HTTPS environments where the auth service worker blocked cross-origin redirects to Google Cloud Storage. ## Problem The service worker was using `mode: 'same-origin'` which prevented following redirects when `/api/view` returns a 302 redirect to GCS: ``` Unsafe attempt to load URL https://storage.googleapis.com/... from frame with URL https://testcloud.comfy.org/auth-sw.js. Domains, protocols and ports must match. ``` This only occurred in HTTPS/cloud environments where media is served from GCS. Localhost/HTTP test environments serve files directly without redirects, so the issue wasn't caught there. ## Solution Changed redirect handling from automatic to manual: 1. **Initial request to `/api/view`**: Sends WITH auth headers (validates user access) 2. **Detect redirect response**: Checks for 301/302/opaqueredirect 3. **Follow redirect to GCS**: Fetches WITHOUT auth headers (signed URL has built-in auth) ### Key Changes - Removed `mode: 'same-origin'` (was blocking cross-origin redirects) - Changed `redirect: event.request.redirect` to `redirect: 'manual'` - Added manual redirect handling that follows to GCS without Firebase auth headers ## Why This Works The two requests have different authentication mechanisms: - **`/api/view` request**: Uses Firebase auth header (backend validates user access) - **GCS request**: Uses signed URL with query params (`Signature=...`, `GoogleAccessId=...`, `Expires=...`) The security check still happens on the initial `/api/view` request, but we allow the redirect to GCS to use its own authentication system. ## Testing - Typecheck passed - Should be tested in HTTPS cloud environment with media files stored in GCS ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-6265-bugfix-fix-auth-service-worker-to-handle-cross-origin-redirects-to-GCS-2976d73d365081d0b124db4918f8194e) by [Unito](https://www.unito.io) --- public/auth-sw.js | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/public/auth-sw.js b/public/auth-sw.js index 60a11eff1..a8929a77f 100644 --- a/public/auth-sw.js +++ b/public/auth-sw.js @@ -54,18 +54,36 @@ self.addEventListener('fetch', (event) => { headers.set(key, value) } - return fetch( + // Fetch with manual redirect to handle cross-origin redirects (e.g., GCS signed URLs) + const response = await fetch( new Request(event.request.url, { method: event.request.method, headers: headers, - mode: 'same-origin', credentials: event.request.credentials, cache: 'no-store', - redirect: event.request.redirect, + redirect: 'manual', referrer: event.request.referrer, integrity: event.request.integrity }) ) + + // If redirected to external storage (GCS), follow without auth headers + // The signed URL contains its own authentication in query params + if ( + response.type === 'opaqueredirect' || + response.status === 302 || + response.status === 301 + ) { + const location = response.headers.get('location') + if (location) { + return fetch(location, { + method: 'GET', + redirect: 'follow' + }) + } + } + + return response } catch (error) { console.error('[Auth SW] Request failed:', error) return fetch(event.request)