-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
loading history from server with authentication #3031
Comments
Hey, would binding a listener to the existing |
thanks for the suggestion - would that result in a race condition as the event listener may be called after the request is sent? |
@jbockle events fired by htmx run synchronously, so your listener callback will complete before htmx proceeds with its next line. |
Hopefully That callback works well. Just a note that ideally when using htmx you should prefer to use cookies for authentication instead of an authorization header. Normally in htmx the requests are not cross origin and here cookies are the ideal authentication method and have many advantages in ease of use and security compared to authorization headers. Authorization headers are normally used for accessing data api's from remote origins where cookies are not as easy to setup and use. With htmx cookie based auth just works with no additional htmx changes required. Good security guide to understand how to use cookies well with htmx is https://htmx.org/essays/web-security-basics-with-htmx/ The loadHistoryFromServer() function you mention hitting is really almost equivalent to a full page reload when the history is missed even though it is handled by htmx in some situations. One issue is that all full page reloads of any url will not include the auth header so the user will be forced back to your login screen most likely. So while you can update the url with hx-push-url and maybe get it to handle sending auth header on some back actions using |
using events
htmx:confirm
andhtmx:configRequest
, I'm adding an authorization header to the request and is working well.However, when used with
hx-push-url
andhx-history="false"
, I noticed the XMLHttpRequest history restoration does not utilize the confirm/configRequest behavior, resulting in missing authorization header.htmx/src/htmx.js
Lines 3176 to 3204 in 7415f39
Is there another way to provide this authorization header in this scenario? If not, would you be open to a contribution to handle this?
The text was updated successfully, but these errors were encountered: