starred/anonaddy
1
0
Fork 0
mirror of https://github.com/anonaddy/anonaddy.git synced 2026-04-25 06:05:55 +03:00
Code Issues 103 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #728] GET https://app.addy.io/api/v1/chart-data: 401 message "Unauthenticated." #1072

New issue
Closed
opened 2026-03-14 11:38:58 +03:00 by kerem · 20 comments
kerem commented 2026-03-14 11:38:58 +03:00
Owner
Copy link

Originally created by @mrusme on GitHub (Apr 12, 2025).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/728

For a while now I've been experiencing the following issue on the dashboard:

GET /api/v1/chart-data HTTP/2
Host: app.addy.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/127.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
X-Requested-With: XMLHttpRequest
X-XSRF-TOKEN: XXX
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: XSRF-TOKEN=XXX AnonAddy=XXX remember_web_XXX=XXX
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 401 
server: nginx
content-type: application/json
cache-control: no-cache, private
date: Sat, 12 Apr 2025 23:20:49 GMT
access-control-allow-origin: *
access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
X-Firefox-Spdy: h2

{"message":"Unauthenticated."}

After this there are subsequent errors, presumably due to this:

Uncaught (in promise) 
Object { stack: "Ht@https://app.addy.io/build/assets/app-BWXEHcGY.js:22:36379\nH3@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:1039\nS@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:5695\nEventHandlerNonNull*jj</<@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:5764\njj<@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:5094\ncT@https://app.addy.io/build/assets/app-BWXEHcGY.js:26:512\n_request@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:1466\nrequest@https://app.addy.io/build/assets/app-BWXEHcGY.js:26:1979\nNu.prototype[t]@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:1792\nO3/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:22:30824\nsetup/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:119:36265\nqa/</<@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:7449\nPd@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1385\nio@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1458\nGv/t.__weh@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:7330\nqm@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:2966\nJ4@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:3275\npromise callback*X4@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:2464\nTw@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:2433\n$A/W/Me.scheduler@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:26135\ntrigger@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:2060\nww@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:2475\nnotify@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:5064\ntrigger@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:4958\nset value@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:13497\nswapComponent@https://app.addy.io/build/assets/app-BWXEHcGY.js:92:12104\nswap@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:12721\nset/</<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:12149\npromise callback*set/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:11958\npromise callback*set@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:11714\nsetPage@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:28760\nasync*process@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:27460\nasync*handle/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:27024\nprocessNext@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:13436\nprocess@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:13294\nadd@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:13214\nhandle@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:27011\nsend/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:30802\npromise callback*send@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:30723\nsend@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:32063\nvisit@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:34274\nonClick@https://app.addy.io/build/assets/app-BWXEHcGY.js:92:18032\nPd@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1385\nio@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1458\nn@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:8595\nEventListener.handleEvent*$a@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:7937\nbB@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:8165\nEB@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:9021\nO@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21867\nT@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21517\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20824\nNe@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:25744\nrun@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:1808\nW@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:26149\nB@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:24657\nK@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:24416\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20858\nU@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:22521\nj@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:24112\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20777\nU@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:22521\nO@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21726\nT@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21517\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20824\nU@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:22521\nO@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21726\nT@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21517\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20824\n", message: "Request failed with status code 401", name: "AxiosError", code: "ERR_BAD_REQUEST", config: {…}, request: XMLHttpRequest, response: {…}, status: 401 }

I have tried logging out, clearing all data/cookies/localstorage, logging back in, still it doesn't work. The chart remains empty and the error persists.

Originally created by @mrusme on GitHub (Apr 12, 2025). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/728 For a while now I've been experiencing the following issue on the dashboard: ``` GET /api/v1/chart-data HTTP/2 Host: app.addy.io User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/127.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd X-Requested-With: XMLHttpRequest X-XSRF-TOKEN: XXX DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: XSRF-TOKEN=XXX AnonAddy=XXX remember_web_XXX=XXX Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Pragma: no-cache Cache-Control: no-cache TE: trailers ``` ``` HTTP/2 401 server: nginx content-type: application/json cache-control: no-cache, private date: Sat, 12 Apr 2025 23:20:49 GMT access-control-allow-origin: * access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma X-Firefox-Spdy: h2 {"message":"Unauthenticated."} ``` After this there are subsequent errors, presumably due to this: ``` Uncaught (in promise) Object { stack: "Ht@https://app.addy.io/build/assets/app-BWXEHcGY.js:22:36379\nH3@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:1039\nS@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:5695\nEventHandlerNonNull*jj</<@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:5764\njj<@https://app.addy.io/build/assets/app-BWXEHcGY.js:24:5094\ncT@https://app.addy.io/build/assets/app-BWXEHcGY.js:26:512\n_request@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:1466\nrequest@https://app.addy.io/build/assets/app-BWXEHcGY.js:26:1979\nNu.prototype[t]@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:1792\nO3/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:22:30824\nsetup/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:119:36265\nqa/</<@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:7449\nPd@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1385\nio@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1458\nGv/t.__weh@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:7330\nqm@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:2966\nJ4@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:3275\npromise callback*X4@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:2464\nTw@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:2433\n$A/W/Me.scheduler@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:26135\ntrigger@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:2060\nww@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:2475\nnotify@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:5064\ntrigger@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:4958\nset value@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:13497\nswapComponent@https://app.addy.io/build/assets/app-BWXEHcGY.js:92:12104\nswap@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:12721\nset/</<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:12149\npromise callback*set/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:11958\npromise callback*set@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:11714\nsetPage@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:28760\nasync*process@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:27460\nasync*handle/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:27024\nprocessNext@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:13436\nprocess@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:13294\nadd@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:13214\nhandle@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:27011\nsend/<@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:30802\npromise callback*send@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:30723\nsend@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:32063\nvisit@https://app.addy.io/build/assets/app-BWXEHcGY.js:27:34274\nonClick@https://app.addy.io/build/assets/app-BWXEHcGY.js:92:18032\nPd@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1385\nio@https://app.addy.io/build/assets/app-BWXEHcGY.js:14:1458\nn@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:8595\nEventListener.handleEvent*$a@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:7937\nbB@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:8165\nEB@https://app.addy.io/build/assets/app-BWXEHcGY.js:19:9021\nO@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21867\nT@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21517\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20824\nNe@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:25744\nrun@https://app.addy.io/build/assets/app-BWXEHcGY.js:10:1808\nW@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:26149\nB@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:24657\nK@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:24416\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20858\nU@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:22521\nj@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:24112\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20777\nU@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:22521\nO@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21726\nT@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21517\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20824\nU@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:22521\nO@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21726\nT@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:21517\ny@https://app.addy.io/build/assets/app-BWXEHcGY.js:15:20824\n", message: "Request failed with status code 401", name: "AxiosError", code: "ERR_BAD_REQUEST", config: {…}, request: XMLHttpRequest, response: {…}, status: 401 } ``` I have tried logging out, clearing all data/cookies/localstorage, logging back in, still it doesn't work. The chart remains empty and the error persists.
kerem closed this issue 2026-03-14 11:39:04 +03:00
kerem commented 2026-03-14 11:39:09 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 12, 2025):

Can confirm that in a different browser (ungoogled-chromium) it works.

<!-- gh-comment-id:2799106800 --> @mrusme commented on GitHub (Apr 12, 2025): Can confirm that in a different browser (ungoogled-chromium) it works.
kerem commented 2026-03-14 11:39:15 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 12, 2025):

Turned down Protection Settings in Firefox from Strict to Standard, and disabled Enhanced Protection Settings for the site, yet still the chart won't load. Disabled Decentraleyes as well as uBlock Origin, still nothing.

<!-- gh-comment-id:2799118331 --> @mrusme commented on GitHub (Apr 12, 2025): Turned down `Protection Settings` in Firefox from `Strict` to `Standard`, and disabled `Enhanced Protection Settings` for the site, yet still the chart won't load. Disabled `Decentraleyes` as well as `uBlock Origin`, still nothing.
kerem commented 2026-03-14 11:39:20 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 12, 2025):

When I manually request the URL (https://app.addy.io/api/v1/chart-data) in Firefox, I get the following reply:

HTTP/2 302 
server: nginx
content-type: text/html; charset=utf-8
location: https://app.addy.io/login
cache-control: no-cache, private
date: Sat, 12 Apr 2025 23:32:39 GMT
access-control-allow-origin: *
access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com/ https://challenges.cloudflare.com/; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src https://js.stripe.com https://hooks.stripe.com https://challenges.cloudflare.com/; object-src 'none'
referrer-policy: origin-when-cross-origin
X-Firefox-Spdy: h2
<!-- gh-comment-id:2799125627 --> @mrusme commented on GitHub (Apr 12, 2025): When I manually request the URL (https://app.addy.io/api/v1/chart-data) in Firefox, I get the following reply: ``` HTTP/2 302 server: nginx content-type: text/html; charset=utf-8 location: https://app.addy.io/login cache-control: no-cache, private date: Sat, 12 Apr 2025 23:32:39 GMT access-control-allow-origin: * access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma x-frame-options: SAMEORIGIN x-xss-protection: 0 x-content-type-options: nosniff strict-transport-security: max-age=63072000; includeSubDomains; preload content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com/ https://challenges.cloudflare.com/; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src https://js.stripe.com https://hooks.stripe.com https://challenges.cloudflare.com/; object-src 'none' referrer-policy: origin-when-cross-origin X-Firefox-Spdy: h2 ```
kerem commented 2026-03-14 11:39:25 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 15, 2025):

You can't manually request the URL since it is an API endpoint and needs authentication.

I just tested this in Firefox and it works as expected.

Your request seems to be missing the referer: https://app.addy.io/ header.

Something must be removing it which may be the problem.

<!-- gh-comment-id:2804430745 --> @willbrowningme commented on GitHub (Apr 15, 2025): You can't manually request the URL since it is an API endpoint and needs authentication. I just tested this in Firefox and it works as expected. Your request seems to be missing the `referer: https://app.addy.io/` header. Something must be removing it which may be the problem.
kerem commented 2026-03-14 11:39:30 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 15, 2025):

Thank you for testing! I'm using Firefox with rather strict settings. However, the referer shouldn't be a requirement for the request to work.

If Addy requires it then this issue might be renamed into something along the lines of Remove requirement for referer header in API requests.

<!-- gh-comment-id:2805079220 --> @mrusme commented on GitHub (Apr 15, 2025): Thank you for testing! I'm using Firefox with rather _strict_ settings. However, the [`referer`](https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) shouldn't be a requirement for the request to work. If Addy requires it then this issue might be renamed into something along the lines of _Remove requirement for `referer` header in API requests_.
kerem commented 2026-03-14 11:39:35 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 15, 2025):

It is how Laravel Sanctum works to authenticate SPAs through the API - https://laravel.com/docs/12.x/sanctum#how-it-works-spa-authentication

Sanctum will only attempt to authenticate using cookies when the incoming request originates from your own SPA frontend.

You will have to add an exception for this if Firefox (or whichever extension it is allows it).

<!-- gh-comment-id:2805092721 --> @willbrowningme commented on GitHub (Apr 15, 2025): It is how Laravel Sanctum works to authenticate SPAs through the API - [https://laravel.com/docs/12.x/sanctum#how-it-works-spa-authentication](https://laravel.com/docs/12.x/sanctum#how-it-works-spa-authentication) > Sanctum will only attempt to authenticate using cookies when the incoming request originates from your own SPA frontend. You will have to add an exception for this if Firefox (or whichever extension it is allows it).
kerem commented 2026-03-14 11:39:40 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 15, 2025):

According to the docs:

Additionally, you should ensure that you send the Accept: application/json header and either the Referer or Origin header with your request.

Does Addy set the Origin? I would believe that if it would set Origin (as SPAs normally do for CORS) it should work even without the Referer header.

<!-- gh-comment-id:2806911527 --> @mrusme commented on GitHub (Apr 15, 2025): According to the docs: > Additionally, you should ensure that you send the `Accept: application/json` header and either the `Referer` or `Origin` header with your request. Does Addy set the `Origin`? I would believe that if it would set `Origin` (as SPAs normally do for CORS) it should work even without the `Referer` header.
kerem commented 2026-03-14 11:39:45 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 16, 2025):

The cors.php config file is here - https://github.com/anonaddy/anonaddy/blob/master/config/cors.php

Does it return 401 for other API actions such as activating/deactivating an alias?

<!-- gh-comment-id:2809025542 --> @willbrowningme commented on GitHub (Apr 16, 2025): The `cors.php` config file is here - [https://github.com/anonaddy/anonaddy/blob/master/config/cors.php](https://github.com/anonaddy/anonaddy/blob/master/config/cors.php) Does it return `401` for other API actions such as activating/deactivating an alias?
kerem commented 2026-03-14 11:39:51 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 16, 2025):

POST /api/v1/active-aliases HTTP/2
Host: app.addy.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-XSRF-TOKEN: XXX
Content-Length: 45
Origin: https://app.addy.io
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: XSRF-TOKEN=XXX
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 
server: nginx
content-type: application/json
vary: Accept-Encoding
cache-control: no-cache, private
date: Wed, 16 Apr 2025 13:52:45 GMT
x-ratelimit-limit: 60
x-ratelimit-remaining: 59
access-control-allow-origin: *
access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
set-cookie: XSRF-TOKEN=XXX; expires=Wed, 30 Apr 2025 13:52:45 GMT; Max-Age=1209600; path=/; secure; httponly; samesite=lax
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com/ https://challenges.cloudflare.com/; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src https://js.stripe.com https://hooks.stripe.com https://challenges.cloudflare.com/; object-src 'none'
referrer-policy: origin-when-cross-origin
content-encoding: br
X-Firefox-Spdy: h2

{"data":{"id":"xxx","user_id":"xxx","aliasable_id":"xxx","aliasable_type":"App\\Models\\Username","local_part":"xxx","extension":null,"domain":"xxx","email":"xxx","active":true,"description":"xxx","from_name":null,"attached_recipients_only":false,"emails_forwarded":2,"emails_blocked":0,"emails_replied":0,"emails_sent":0,"recipients":[{"id":"xxx","user_id":"xxx","email":"xxx","can_reply_send":true,"should_encrypt":true,"inline_encryption":false,"protected_headers":false,"fingerprint":"xxx","email_verified_at":"2025-04-09 00:43:15","aliases":[],"created_at":"2022-12-26 17:13:43","updated_at":"2025-04-11 21:40:23"}],"last_forwarded":"2025-02-22 00:16:49","last_blocked":null,"last_replied":null,"last_sent":null,"created_at":"2024-11-18 09:37:52","updated_at":"2025-04-16 13:52:45","deleted_at":null}}

Other requests work fine -- and apparently they contain the Origin header.

<!-- gh-comment-id:2809673924 --> @mrusme commented on GitHub (Apr 16, 2025): ``` POST /api/v1/active-aliases HTTP/2 Host: app.addy.io User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Content-Type: application/json X-Requested-With: XMLHttpRequest X-XSRF-TOKEN: XXX Content-Length: 45 Origin: https://app.addy.io DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: XSRF-TOKEN=XXX Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Pragma: no-cache Cache-Control: no-cache TE: trailers ``` ``` HTTP/2 200 server: nginx content-type: application/json vary: Accept-Encoding cache-control: no-cache, private date: Wed, 16 Apr 2025 13:52:45 GMT x-ratelimit-limit: 60 x-ratelimit-remaining: 59 access-control-allow-origin: * access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma set-cookie: XSRF-TOKEN=XXX; expires=Wed, 30 Apr 2025 13:52:45 GMT; Max-Age=1209600; path=/; secure; httponly; samesite=lax x-frame-options: SAMEORIGIN x-xss-protection: 0 x-content-type-options: nosniff strict-transport-security: max-age=63072000; includeSubDomains; preload content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com/ https://challenges.cloudflare.com/; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src https://js.stripe.com https://hooks.stripe.com https://challenges.cloudflare.com/; object-src 'none' referrer-policy: origin-when-cross-origin content-encoding: br X-Firefox-Spdy: h2 ``` ``` {"data":{"id":"xxx","user_id":"xxx","aliasable_id":"xxx","aliasable_type":"App\\Models\\Username","local_part":"xxx","extension":null,"domain":"xxx","email":"xxx","active":true,"description":"xxx","from_name":null,"attached_recipients_only":false,"emails_forwarded":2,"emails_blocked":0,"emails_replied":0,"emails_sent":0,"recipients":[{"id":"xxx","user_id":"xxx","email":"xxx","can_reply_send":true,"should_encrypt":true,"inline_encryption":false,"protected_headers":false,"fingerprint":"xxx","email_verified_at":"2025-04-09 00:43:15","aliases":[],"created_at":"2022-12-26 17:13:43","updated_at":"2025-04-11 21:40:23"}],"last_forwarded":"2025-02-22 00:16:49","last_blocked":null,"last_replied":null,"last_sent":null,"created_at":"2024-11-18 09:37:52","updated_at":"2025-04-16 13:52:45","deleted_at":null}} ``` Other requests work fine -- and apparently they contain the `Origin` header.
kerem commented 2026-03-14 11:39:56 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 16, 2025):

If you click the bell icon next to your username in the nav bar do the notifications load successfully?

<!-- gh-comment-id:2809823006 --> @willbrowningme commented on GitHub (Apr 16, 2025): If you click the bell icon next to your username in the nav bar do the notifications load successfully?
kerem commented 2026-03-14 11:40:01 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 16, 2025):

Nope, only seeing a loading spinner.

<!-- gh-comment-id:2810166472 --> @mrusme commented on GitHub (Apr 16, 2025): Nope, only seeing a loading spinner.
kerem commented 2026-03-14 11:40:06 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 16, 2025):

It seems to only be affecting the two GET API requests then, other methods (POST, DELETE) seem to be working as expected.

<!-- gh-comment-id:2810290916 --> @willbrowningme commented on GitHub (Apr 16, 2025): It seems to only be affecting the two GET API requests then, other methods (POST, DELETE) seem to be working as expected.
kerem commented 2026-03-14 11:40:11 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 16, 2025):

Okay, so, do you want to reopen this issue or shall I use the "Share Feedback" form in my Addy Pro account to submit the problem? What's the preferred process to get this fixed? Thank you!

<!-- gh-comment-id:2810519220 --> @mrusme commented on GitHub (Apr 16, 2025): Okay, so, do you want to reopen this issue or shall I use the _"Share Feedback"_ form in my Addy Pro account to submit the problem? What's the preferred process to get this fixed? Thank you!
kerem commented 2026-03-14 11:40:16 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 17, 2025):

The user agent doesn't always set the Origin header for GET or HEAD requests - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin#description

You must have network.http.sendRefererHeader set to 0 in your about:config in Firefox.

I'm looking for a potential solution for this now.

<!-- gh-comment-id:2812523967 --> @willbrowningme commented on GitHub (Apr 17, 2025): The user agent doesn't always set the `Origin` header for `GET` or `HEAD` requests - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin#description](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin#description) You must have `network.http.sendRefererHeader` set to `0` in your `about:config` in Firefox. I'm looking for a potential solution for this now.
kerem commented 2026-03-14 11:40:21 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 17, 2025):

You must have network.http.sendRefererHeader set to 0 in your about:config in Firefox.

Correct, yes, amongst other things like privacy.resistFingerprinting and subsequent configurations. Amongst the tools I use, however, I only noticed Addy not liking this -- and only in particular locations. Charts in e.g. Grafana show up fine.

<!-- gh-comment-id:2813021008 --> @mrusme commented on GitHub (Apr 17, 2025): > You must have `network.http.sendRefererHeader` set to `0` in your `about:config` in Firefox. Correct, yes, amongst other things like `privacy.resistFingerprinting` and subsequent configurations. Amongst the tools I use, however, I only noticed Addy not liking this -- and only in particular locations. Charts in e.g. Grafana show up fine.
kerem commented 2026-03-14 11:40:26 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 17, 2025):

This is the method and line in the Sanctum middleware that determines if the request is from the first-party application frontend:

https://github.com/laravel/sanctum/blob/4.x/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php#L74

If neither the Referer or Origin headers are being included by the browser then it will always return false and I'm not sure what else can be done.

I think the only option may be to change these GET requests to POST ones instead.

<!-- gh-comment-id:2813396167 --> @willbrowningme commented on GitHub (Apr 17, 2025): This is the method and line in the Sanctum middleware that determines if the request is from the first-party application frontend: [https://github.com/laravel/sanctum/blob/4.x/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php#L74](https://github.com/laravel/sanctum/blob/4.x/src/Http/Middleware/EnsureFrontendRequestsAreStateful.php#L74) If neither the `Referer` or `Origin` headers are being included by the browser then it will always return false and I'm not sure what else can be done. I think the only option may be to change these `GET` requests to `POST` ones instead.
kerem commented 2026-03-14 11:40:31 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 17, 2025):

If neither the Referer or Origin headers are being included by the browser

As stated before, for other requests (disabling/enabling aliases) Firefox does include the Origin header:

Origin: https://app.addy.io

What is the difference between the disabling/enabling aliases requests and the graph/notifications requests? It seems like for the former Addy is using Origin and it works just fine, while for the latter it doesn't. Is that due to the different method? (POST vs GET)

I don't know whether it's easily possible to pre-render a version of the chart as well as the notification upon delivery, but that would certainly help with this issue. Then at least I could refresh the page to get an output.

<!-- gh-comment-id:2813441145 --> @mrusme commented on GitHub (Apr 17, 2025): > If neither the `Referer` or `Origin` headers are being included by the browser As stated before, for other requests (disabling/enabling aliases) Firefox **does** include the `Origin` header: ``` Origin: https://app.addy.io ``` What is the difference between the disabling/enabling aliases requests and the graph/notifications requests? It seems like for the former Addy is using `Origin` and it works just fine, while for the latter it doesn't. Is that due to the different method? (`POST` vs `GET`) I don't know whether it's easily possible to pre-render a version of the chart as well as the notification upon delivery, but that would certainly help with this issue. Then at least I could refresh the page to get an output.
kerem commented 2026-03-14 11:40:36 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 17, 2025):

It's because those other requests are not GET requests and therefore Firefox does include the Origin header.

It is only the GET API requests that are not working because:

Broadly speaking, user agents add the Origin request header to:

cross origin requests.
same-origin requests except for GET or HEAD requests (i.e., they are added to same-origin POST, OPTIONS, PUT, PATCH, and DELETE requests).

I will have to change those requests to POST ones and that should fix it.

<!-- gh-comment-id:2813458713 --> @willbrowningme commented on GitHub (Apr 17, 2025): It's because those other requests are not `GET` requests and therefore Firefox does include the `Origin` header. It is only the `GET` API requests that are not working because: > Broadly speaking, user agents add the Origin request header to: > [cross origin](https://developer.mozilla.org/en-US/docs/Glossary/CORS) requests. [same-origin](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) requests except for [GET](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/GET) or [HEAD](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/HEAD) requests (i.e., they are added to same-origin [POST](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/POST), [OPTIONS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/OPTIONS), [PUT](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/PUT), [PATCH](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/PATCH), and [DELETE](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/DELETE) requests). - https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin#description I will have to change those requests to `POST` ones and that should fix it.
kerem commented 2026-03-14 11:40:42 +03:00
Author
Owner
Copy link

@willbrowningme commented on GitHub (Apr 22, 2025):

This should work now if you try it again.

<!-- gh-comment-id:2822164977 --> @willbrowningme commented on GitHub (Apr 22, 2025): This should work now if you try it again.
kerem commented 2026-03-14 11:40:47 +03:00
Author
Owner
Copy link

@mrusme commented on GitHub (Apr 22, 2025):

I can confirm that on app.addy.io I can now see graphs as well as notifications! Thank you so much for fixing this! :-)

<!-- gh-comment-id:2822349415 --> @mrusme commented on GitHub (Apr 22, 2025): I can confirm that on app.addy.io I can now see graphs as well as notifications! Thank you so much for fixing this! :-)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.5.0
v1.4.1
v1.4.0
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.14.1
v0.14.0
v0.13.13
v0.13.12
v0.13.11
v0.13.10
v0.13.9
v0.13.8
v0.13.7
v0.13.6
v0.13.5
v0.13.4
v0.13.3
v0.13.2
v0.13.1
v0.13.0
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.11.2
v0.11.1
v0.11.0
v0.10.1
v0.10.0
v0.9.1
v0.9.0
v0.8.10
v0.8.9
v0.8.8
v0.8.7
v0.8.6
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.5
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.13
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/anonaddy#1072
No description provided.