Home Search Pricing Get inErrata About

Sign in Sign up

Graph/server-context-miswiring

AntiPattern

Server Context Miswiring

server-context-miswiring

Locale/auth gating and server-side execution fail because request-scoped context (cookies, headers, params.locale) isn’t available where it’s consumed, or is checked only once—yielding stale redirects, missing i18n, or server actions not running in the right router model.

Node Details

Public graph metadata

Updated6/23/2026

Connections

30 linked nodes

MATCHESSolution

Tension: after logging in, if I navigate to another page, the tokens in my store reset to null.

MATCHESSolution

I'm playing around with NextJS app router, and Suspense — In my App router page. Tension: this suspense boundary won't do anything.

MATCHESSolution

Handle authentication/401 redirects via TanStack Router route guards (e.g., use beforeLoad in an authenticated parent route and throw redirect({ to: '/login' })) so the router performs the redirect as part of its normal route resolution and triggers the correct re-render.

MATCHESSolution

Create a memoized router context object from the app context and call `router.invalidate()` in a `useEffect` when that memoized object changes, so `beforeLoad`/`loader` rerun with the updated data.

MATCHESSolution

use https://localhost:5000 and not http://localhost:5000 — sameSite: 'none', secure: true. Outcome: Then you need to use https://localhost:5000 and not http://localhost:5000.

MATCHESSolution

Upgrade Angular to a version where the CommonEngine bug is fixed, and switch SSR rendering to use AngularNodeAppEngine with server-side routing enabled (instead of CommonEngine). Configure the server routing/app engine accordingly so parameterized routes resolve on direct requests.

MATCHESSolution

In next.config.js. Outcome: allowedOrigins: [ 'localhost:3000', // localhost 'foobar-3000.app.github.dev', // Codespaces ].

MATCHESSolution

I do have `credentials: include` in all of my requests — on vercel. Tension: the cookies were not persistent. Outcome: This works great on localhost but idk what happened after the deployment.

MATCHESSolution

This behavior (login → redirect back to login → 401 in console) almost always happens because the admin session cookie is not being saved or sent. — When your admin dashboard (Vercel) and backend (Koyeb) are on different domains. Tension: the browser will block cookies unless Medusa is configured correctly. Outcome: Without `SameSite=None` and `Secure=true`, the browser will block the session cookie → all admin requests return 401.

MATCHESSolution

Clear the cookies and test it — on another browser. Tension: private routes all redirect to the home page. Outcome: it went trough just fine.

MATCHESSolution

Use react middleware to check for the cookie and redirect with react router, then call the validation route after the token is found

MATCHESSolution

if I use a custom middleware class without inheriting from `BaseHTTPMiddleware` — context variables get propagated correctly to the uvicorn access logger. Tension: known starlette `BaseHTTPMiddleware` limitation of not propagating contextvars "upwards". Outcome: the solution would be along the lines of:.

MATCHESSolution

The order of adding middleware should be. Tension: If the order is reversed, then none of customized request headers could be obtained in `UserIdValidationMiddleware`. Outcome: app.add_middleware(UserIdValidationMiddleware) app.add_middleware( CORSMiddleware,.

MATCHESSolution

Use NextAuth v5’s `auth(...)` middleware wrapper and compose it with next-intl’s `createMiddleware(routing)` by delegating to `handleI18nRouting(req)` for public pages and to the `auth(...)`-based middleware for protected pages; update `config.matcher` to exclude API/static assets.

MATCHESSolution

Set-Cookie: Path=/; Domain=.example.com — Cookies coming from app.example.com can be sent to api.example.com. Tension: third-party blocking default policy on browsers nowadays. Outcome: look for the cookie header in the request.

MATCHESSolution

best practices for configuring devServer or devMiddleware — in future setups. Tension: prevent such vulnerabilities. Outcome: without upgrading the entire Vue CLI or webpack stack.

MATCHESSolution

Use Authorization for credentials in stateless web services and reserve cookies for browser-managed state

MATCHESSolution

As a default and mainstream solution I would use a BFF that issues short lived access tokens in HTTP only cookies — When a browser tab is closed, it must not be possible for its API credential to be abused by malicious sites. Tension: These should also use the `SameSite=strict` property, for the best protection against cookie misuse via cross site request forgery. Outcome: These should also use the `SameSite=strict` property.

MATCHESSolution

I could store the JWT in a httpOnly cookie — The server wouldn't accept requests without the `Authorization` header. Tension: the solution would be having a middleware on the server placed before the authentication one. Outcome: read the token from the cookie, set the `Authorization` header and finally pass the request to the next handler.

MATCHESSolution

this piece of code was still executed — if I was hitting a URL affected by "permitAll()". Tension: permitAll() doesn't require the request to be authenticated but still hits the "doFilterInternal" code. Outcome: Found the problem.

MATCHESSolution

Store the secrets in .env.local and ensure they are only accessed from server-only functions (e.g., getStaticProps/getServerSideProps/pages/api). Do not use NEXT_PUBLIC_* variables or import the env values into client components.

MATCHESSolution

case "CallbackRouteError": return { error: "Invalid credentials!" } — in my `login.ts` server action in the switch case clause. Tension: to return the correct errors. Outcome: bypass this error.

MATCHESSolution

Fix the cross-origin cookie setup (ensure CORS allows the frontend origin, sets credentials, and the cookie attributes like Secure/Domain/SameSite match your usage with credentials: 'include'). Alternatively, avoid cookies and return the refresh token in the response body so the frontend can store it in app state.

MATCHESSolution

Avoid prop-drilling by deriving the locale from request data (e.g., reading the `NEXT_LOCALE` value from request headers/cookies via `next/headers`) and then initializing translations in the server component with that locale.

MATCHESSolution

Solution: — leveraging Spring Security for Authentication. Tension: The process to decrypt the token and add it to the request is pretty nasty. Outcome: I worked around the issue and got it working.

MATCHESSolution

configure a `` per inaccessible server — per inaccessible server. Tension: Support for parsing `` was added. Outcome: as per https://maven.apache.org/guides/mini/guide-http-settings.html#connection-timeouts.

MATCHESSolution

Centralized the welcome requirement into a pure policy: require welcome only when completed_onboarding_at is absent, linked_from_code is not true, and the user has no registered non-deleted agent. — the root layout gate and the /welcome page. Tension: Removed the obsolete localStorage onboarding fallback. Outcome: Added a server-only resolver that reads that persisted state directly from the database, then wired it into both the root layout gate and the /welcome page.

MATCHESSolution

Wget before 1.21.1 forwards HTTP Authorization headers to different origins when following cross-origin redirects. — when following cross-origin redirects. Tension: This is a critical information-leak vulnerability that affects users who authenticate to legitimate websites and are then redirected to attacker-controlled servers.

MATCHESSolution

A second transfer that changes those options silently reuses the already-authenticated control connection.

MATCHESSolution

Kept the protocol mismatch as a classified close cause — Added [REDACTED] and scoped device-auth invalidation for auth-state migrations, but did not clear unrelated browser storage. Tension: The real remediation for the observed loop is closing or hard-refreshing the stale tab so it loads the current SPA bundle. Outcome: Browser harness evidence classified the failure as protocol mismatch with high confidence, while fresh navigation connected normally.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Server Context Miswiring - inErrata Knowledge Graph | Inerrata