Remote functions: ability to intercept fetch

[vd-aloker]

Suggestion: add a way to intercept or configure each fetch call made to remote functions. Especially allow request headers to be set, e.g. for setting the Authorization

Scenario

As I explained in the original discussion on remote functions, we have a couple of apps that could really benefit from remote functions. But those apps cannot reliably use cookies because they run as Microsoft Teams Apps in an iframe. As much as I'm unsatisfied with the nature of MS Teams apps, it is what we have to deal with.

Because we cannot use cookies, our apps have to rely on headers for authentication (eg Bearer token in an Authorization header). Currently, we have no access to the underlying fetch call when using remote functions.

Alternatives

• If we can't use headers, we'll have to resort to sending the data with the remote function payload. However, that doesn't feel particularly idiomatic.
• Telefunc allows the user to "replace"/patch fetch: fetch. We've successfully used telefunc, but obiously, it's not as smooth and idomatic as SK remote functions

Issues/open questions

• I'm aware that this will not gracefully fall back to native support when using form (when no fetch is involved)
• This will likely not work when invoking a remote function on the server side and for initial SSR (again, no fetch involved and the token is not available anyway)

Final words

I'm sorry if this topic has been discussed anywhere else except for the remote functions thread I mentioned above. I couldn't find anything regarding the current state of this issue. My latest status is Rich saying "Yeah, intercepting the fetch rather than the query is a possibility"

[mrksbnch]

I'm aware that this request is about setting headers in general, but I'm not sure it's a good idea to set the Authorization header with a token on the client side. This would imply that the token is already stored on the client, e.g., in session storage (as you mentioned in the linked discussion).

That said, this might be a bit off-topic, but why can't you use cookies in an iframe? I haven’t worked with MS Teams apps specifically, but in some projects, I've had to deal with apps running inside iframes. There are some limitations, but cookies (with SameSite=None) can be set and read in iframes. So they might still be a better choice than storing the token on the client and sending it as an HTTP header to the server. In a browser context (not sure about additional limitations imposed by MS Teams), you can also use other standards nowadays to "share" cookies, e.g., partitioned cookies or storage access (headers). If you want to have long lived sessions, you can use other mechanisms while keeping everything on the server, e.g., using refresh tokens (stored in a HTTPOnly cookie, potentially even encrypted) to get new access tokens.

[vd-aloker]

Thanks for reply. I'm very aware that storing the tokens client side is far from optimal. I'd really like to use cookies. That's what we'd normally do: database backed sessions with encrypted tokens in the DB and a session cookie containing only the session id. No tokens on the client side. Token refresh on the server.

Our last proof of concept regarding cookies inside Teams wasn't promising, but I'll check again. Maybe we've overlooked something. So, thanks for the input 🙏🏻