Skip to content

fix: re-apply Cloudflare Pages Function proxy for iOS/Android cookie support #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pkmaster21 merged 5 commits into from
Apr 16, 2026
Merged

fix: re-apply Cloudflare Pages Function proxy for iOS/Android cookie support #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
187d060
fix: proxy API through Cloudflare Pages Function to fix iOS Safari gu…
pkmaster21 Apr 16, 2026
44ebc79
fix: update deploy workflow to proxy API through Pages Function
pkmaster21 Apr 16, 2026
0c81e9e
fix: use workingDirectory for wrangler to pick up functions dir
pkmaster21 Apr 16, 2026
b71abac
fix: use SameSite=Lax for session cookies to fix iOS Chrome guest ses…
pkmaster21 Apr 16, 2026
d9068a3
fix: set Pages Function API_URL via Cloudflare API before deployment
pkmaster21 Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 22 additions & 2 deletions .github/workflows/production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,12 +110,32 @@ jobs:
- name: Build React PWA
run: npm run build --workspace=packages/web
env:
VITE_API_URL: ${{ secrets.PROD_API_GATEWAY_URL }}
VITE_API_URL: ""
VITE_SENTRY_DSN: ${{ secrets.SENTRY_DSN }}

- name: Set Pages Function environment variables
run: |
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/accounts/${{ secrets.CLOUDFLARE_ACCOUNT_ID }}/pages/projects/tabby" \
-H "Authorization: Bearer ${{ secrets.CLOUDFLARE_API_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{
"deployment_configs": {
"production": {
"env_vars": {
"API_URL": {
"value": "${{ secrets.PROD_API_GATEWAY_URL }}",
"type": "plain_text"
}
}
}
}
}' | jq -e '.success'

- name: Deploy to Cloudflare Pages
uses: cloudflare/wrangler-action@v3.14.1
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
command: pages deploy packages/web/dist --project-name=tabby --branch=main
workingDirectory: packages/web
command: pages deploy dist --project-name=tabby --branch=main
4 changes: 2 additions & 2 deletions packages/api/src/routes/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ export async function authRoutes(fastify: FastifyInstance) {
reply.setCookie('oauth_state', JSON.stringify({ state, redirect: redirect ?? '/' }), {
httpOnly: true,
path: '/',
sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
sameSite: 'lax',
secure: process.env['NODE_ENV'] === 'prod',
maxAge: 600, // 10 minutes
});
Expand Down Expand Up @@ -170,7 +170,7 @@ export async function authRoutes(fastify: FastifyInstance) {
reply.setCookie(SESSION_COOKIE, sessionToken, {
httpOnly: true,
path: '/',
sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
sameSite: 'lax',
secure: process.env['NODE_ENV'] === 'prod',
maxAge: 60 * 60 * 24 * 30, // 30 days
});
Expand Down
2 changes: 1 addition & 1 deletion packages/api/src/routes/groups.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ export async function groupRoutes(fastify: FastifyInstance) {
reply.setCookie(SESSION_COOKIE, sessionToken, {
httpOnly: true,
path: '/',
sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
sameSite: 'lax',
secure: process.env['NODE_ENV'] === 'prod',
maxAge: 60 * 60 * 24 * 30,
});
Expand Down
2 changes: 1 addition & 1 deletion packages/api/src/routes/members.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ export async function memberRoutes(fastify: FastifyInstance) {
reply.setCookie(SESSION_COOKIE, sessionToken, {
httpOnly: true,
path: '/',
sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
sameSite: 'lax',
secure: process.env['NODE_ENV'] === 'prod',
maxAge: 60 * 60 * 24 * 30, // 30 days
});
Expand Down
79 changes: 79 additions & 0 deletions packages/web/functions/api/[[path]].ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
// Cloudflare Pages Function: proxy all /api/* requests to the backend API.
// This keeps everything on the same origin (tabby.pages.dev) so session cookies
// work on iOS Safari, which blocks cross-site cookies from fetch() requests.
//
// Required env var in Cloudflare Pages dashboard: API_URL (e.g. https://tabby-api.onrender.com)

interface Env {
API_URL: string;
}

// Headers that must not be forwarded to/from the upstream server
const HOP_BY_HOP = new Set([
'connection',
'keep-alive',
'proxy-authenticate',
'proxy-authorization',
'te',
'trailers',
'transfer-encoding',
'upgrade',
]);

export const onRequest: (context: { request: Request; env: Env; params: Record<string, string | string[]> }) => Promise<Response> = async (context) => {
const { request, env } = context;
const apiBase = env.API_URL?.replace(/\/$/, '');

if (!apiBase) {
return new Response(JSON.stringify({ error: 'API_URL not configured' }), {
status: 502,
headers: { 'Content-Type': 'application/json' },
});
}

const url = new URL(request.url);
const target = new URL(url.pathname + url.search, apiBase);

// Forward request headers, stripping hop-by-hop
const reqHeaders = new Headers();
request.headers.forEach((value, key) => {
if (!HOP_BY_HOP.has(key.toLowerCase())) {
reqHeaders.set(key, value);
}
});

const hasBody = !['GET', 'HEAD'].includes(request.method);
const upstream = await fetch(target.toString(), {
method: request.method,
headers: reqHeaders,
...(hasBody && { body: request.body }),
redirect: 'manual',
});

// Forward response headers, stripping hop-by-hop.
// Set-Cookie must be handled separately via getAll() because forEach() in the
// Cloudflare Workers Headers implementation collapses multiple Set-Cookie values
// into a single comma-joined string, which breaks cookie parsing.
const resHeaders = new Headers();
upstream.headers.forEach((value, key) => {
if (key.toLowerCase() === 'set-cookie') return;
if (!HOP_BY_HOP.has(key.toLowerCase())) {
resHeaders.append(key, value);
}
});

const response = new Response(upstream.body, {
status: upstream.status,
headers: resHeaders,
});

// Append each Set-Cookie individually to preserve separate header entries.
// getAll() is a Cloudflare Workers extension to the Headers API that returns
// an array of values for a given header name, preserving duplicates.
const cookies = (upstream.headers as unknown as { getAll(name: string): string[] }).getAll('set-cookie');
for (const cookie of cookies) {
response.headers.append('set-cookie', cookie);
}

return response;
};