Bug Description
When creating an EventSource with withCredentials: true, the underlying fetch request sets credentials to "omit" instead of "include". This means cookies and auth headers are not sent with the EventSource request, even though the user explicitly requested credentials.
Reproduction
import { EventSource } from "undici"
const es = new EventSource("http://localhost:3000/events", {
withCredentials: true
})Expected Behavior
Per the WHATWG EventSource spec, when withCredentials is true, the request credentials mode should be "include".
Actual Behavior
In lib/web/eventsource/eventsource.js lines 167-169:
credentials: corsAttributeState === "anonymous"
? "same-origin"
: "omit",
When withCredentials is true, corsAttributeState is set to USE_CREDENTIALS (not "anonymous"), so the ternary evaluates to "omit". It should evaluate to "include".
The fix is straightforward: change "omit" to "include":
- credentials: corsAttributeState === "anonymous"
- ? "same-origin"
- : "omit",
+ credentials: corsAttributeState === "anonymous"
+ ? "same-origin"
+ : "include",
Environment
- undici 8.3.0 (current main)
- Node.js v22.x
References
Bug Description
When creating an
EventSourcewithwithCredentials: true, the underlying fetch request setscredentialsto"omit"instead of"include". This means cookies and auth headers are not sent with the EventSource request, even though the user explicitly requested credentials.Reproduction
Expected Behavior
Per the WHATWG EventSource spec, when
withCredentialsis true, the request credentials mode should be"include".Actual Behavior
In
lib/web/eventsource/eventsource.jslines 167-169:When
withCredentialsis true,corsAttributeStateis set toUSE_CREDENTIALS(not"anonymous"), so the ternary evaluates to"omit". It should evaluate to"include".The fix is straightforward: change
"omit"to"include":Environment
References