mnfst 0.5.108 → 0.5.109

package/lib/manifest.data.js

@@ -7605,44 +7605,45 @@ function createAppwriteMethodsHandler(dataSourceName, reloadDataSource) {
 
                     // Authenticate the fetch for permissioned buckets.
                     //
-                    // Storage's /view, /download and /preview endpoints are
-                    // designed for embed-in-<img> use and check the user's
-                    // SESSION COOKIE, not API/dev keys (those are honoured
-                    // only on the JSON endpoints like /storage/buckets/.../
-                    // files/.../). So X-Appwrite-Dev-Key alone won't open
-                    // the door, and in localhost dev the cross-domain
-                    // session cookie won't be sent by the browser either
-                    // (SameSite=Lax blocks third-party cookies on plain HTTP).
+                    // Storage's /view, /download and /preview endpoints check
+                    // the USER SESSION — not API/dev keys (those work only on
+                    // JSON endpoints like /storage/buckets/.../files/.../).
+                    // In localhost dev the browser blocks the cross-domain
+                    // session cookie (SameSite=Lax on plain HTTP), so the
+                    // request lands at Appwrite as anonymous and a permissioned
+                    // file returns 404 storage_file_not_found.
                     //
-                    // Appwrite's recommended fix for this exact case is to
-                    // mint a short-lived JWT from the active session and
-                    // pass it as `X-Appwrite-JWT`. JWTs expire after 15 min
-                    // and are rate-limited (10 / hour / account), so we
-                    // only mint one for this single fetch.
+                    // The Appwrite Web SDK works around this by writing the
+                    // session token to localStorage under `cookieFallback`
+                    // and replaying it as the `X-Fallback-Cookies` header on
+                    // every SDK request. That's why SDK calls (getFile metadata
+                    // above, listRows, $create, etc.) succeed cross-domain
+                    // while raw fetch() doesn't — raw fetch doesn't know to
+                    // read that localStorage key.
                     //
-                    // Falls back to credentials-only fetch when:
-                    //   - the auth plugin isn't loaded (no createJWT path)
-                    //   - the user isn't signed in (createJWT would throw)
-                    //   - JWT mint failed for any other reason
-                    // …because that path still works in production with a
-                    // proper same-site or SameSite=None session cookie.
+                    // We do exactly what the SDK does: read cookieFallback
+                    // and attach it as X-Fallback-Cookies. This is more
+                    // reliable than JWT:
+                    //   - no createJWT round-trip (and dev-key-configured
+                    //     clients 501 on createJWT)
+                    //   - no 15-min expiry or rate limit (10/hour/account)
+                    //   - matches whatever auth the SDK is already using
+                    //
+                    // Falls through to credentials-only when the user isn't
+                    // signed in (no cookieFallback in storage) — that path
+                    // still works in production with a SameSite=None cookie.
                     const fetchHeaders = {};
                     if (appwriteConfig.projectId) {
                         fetchHeaders['X-Appwrite-Project'] = appwriteConfig.projectId;
                     }
                     try {
-                        const getClient = window.ManifestAppwriteAuthConfig?.getAppwriteClient;
-                        if (getClient && window.Appwrite?.Account) {
-                            const { client } = await getClient();
-                            if (client) {
-                                const account = new window.Appwrite.Account(client);
-                                const jwtResult = await account.createJWT();
-                                if (jwtResult?.jwt) {
-                                    fetchHeaders['X-Appwrite-JWT'] = jwtResult.jwt;
-                                }
-                            }
+                        const cookieFallback = typeof localStorage !== 'undefined'
+                            ? localStorage.getItem('cookieFallback')
+                            : null;
+                        if (cookieFallback) {
+                            fetchHeaders['X-Fallback-Cookies'] = cookieFallback;
                         }
-                    } catch { /* JWT mint failed — fall back to cookie auth */ }
+                    } catch { /* localStorage access denied — fall through */ }
 
                     const response = await fetch(viewUrl, {
                         method: 'GET',

package/lib/manifest.integrity.json

@@ -6,7 +6,7 @@
   "manifest.color.js": "sha384-Z9G/lzt0vVMxjz4wkPuGG1X9mmQAJR15aOoGX3ephf7r2wnlUWet5GLgkUMtT4vt",
   "manifest.colorpicker.js": "sha384-0EVn+Ha06h7FIvOxc6WjZYnKYXzi+zba08yKvczSEGTRkWRxyKN2TFrZHI1SDCXu",
   "manifest.components.js": "sha384-3dCTD5EwCZTiX+1obYtDNM3WWwPh2JDQUQQsdRUUK3gs6FXjse1ShkKaT/2jsNaI",
-  "manifest.data.js": "sha384-nmEQrihotpNg3oF5UdPh1h/PEMrQx6614+7o5N5K8IP9J0hbDs16JlygEP6n42zL",
+  "manifest.data.js": "sha384-pgX6RJRWP7jmWO4ALb+GbS7Gm5JGOrCtxjEOnEcj1aJ8HoGbFjOniyjsntf8IA+B",
   "manifest.dropdowns.js": "sha384-WMrFoSpKfJuo81dyrwhVrDO8rq+rDwh2x8x4nH01BY5ZHkvjE+/SaT2gWCI0zOn+",
   "manifest.export.js": "sha384-qvdGz1TiGEDOeWJ5os1z03RURdKX+ezZEQ1KyV+9iC7X0esLK83mtY87t4MQv45t",
   "manifest.icons.js": "sha384-uOkboYrovjCpl22eey3Jaxpey+pOnot5NDnRRumcRxiR7IOVaRh1i20gYnWXR5dW",

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mnfst",
-    "version": "0.5.108",
+    "version": "0.5.109",
     "private": false,
     "workspaces": [
         "templates/starter",