From 3a6183cdbe962edce4c4275b2c3f28fcf3eafec3 Mon Sep 17 00:00:00 2001
From: Lukas Reining <lukas.reining@codecentric.de>
Date: Sun, 15 Dec 2024 13:31:05 +0100
Subject: [PATCH] fix: change credentials mode from "omit" to "same-origin"
 when set to false

Signed-off-by: Lukas Reining <lukas.reining@codecentric.de>
---
 eventsource.iml    |  1 +
 src/eventsource.ts | 29 ++++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/eventsource.iml b/eventsource.iml
index 80cc739..59351bd 100644
--- a/eventsource.iml
+++ b/eventsource.iml
@@ -4,5 +4,6 @@
     <exclude-output />
     <content url="file://$MODULE_DIR$" />
     <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" name="@zxing" level="application" />
   </component>
 </module>
\ No newline at end of file
diff --git a/src/eventsource.ts b/src/eventsource.ts
index 5e3f06e..e30f300 100644
--- a/src/eventsource.ts
+++ b/src/eventsource.ts
@@ -28,6 +28,12 @@ export type EventSourceOptions = {
    * Fetch implementation to use for connecting. Defaults to {@link globalThis.fetch}
    */
   fetch?: typeof fetch;
+
+  /**
+   * Sets the fetch credential mode to `omit` instead of `same-site`.
+   * If {@link EventSourceInit.withCredentials} is set, {@link omitCredentials} will take precedence and the `credential` will be set to `omit`.
+   */
+  omitCredentials?: boolean;
 } & Omit<RequestInit, 'cache' | 'credentials' | 'signal'>;
 
 /**
@@ -40,9 +46,9 @@ export type EventSourceExtraOptions = {
   fetchInput?: typeof fetch;
 };
 
-export type CustomEvent = Event & { 
-  response?: Response; 
- };
+export type CustomEvent = Event & {
+  response?: Response;
+};
 
 export class CustomEventSource extends EventTarget implements EventSource {
   // https://html.spec.whatwg.org/multipage/server-sent-events.html#dom-eventsource-url
@@ -93,6 +99,12 @@ export class CustomEventSource extends EventTarget implements EventSource {
       this.logger = this.options.logger ?? new ConsoleLogger();
     }
 
+    if (this.options.omitCredentials && this.options.withCredentials) {
+      this.logger?.warn(
+        'omitCredentials and withCredentials have been set to true. withCredentials will be ignored and credentials will not be sent!',
+      );
+    }
+
     this.connect();
   }
 
@@ -131,7 +143,11 @@ export class CustomEventSource extends EventTarget implements EventSource {
               Accept: ContentTypeEventStream,
             },
         cache: 'no-store',
-        credentials: this.withCredentials ? 'include' : 'omit',
+        credentials: this.options.omitCredentials
+          ? 'omit'
+          : this.withCredentials
+          ? 'include'
+          : 'same-origin',
         signal: this.abortController?.signal,
       };
 
@@ -157,7 +173,10 @@ export class CustomEventSource extends EventTarget implements EventSource {
           response,
         );
       } else if (!response?.body) {
-        return this.failConnection(`Request failed with empty response body'`, response);
+        return this.failConnection(
+          `Request failed with empty response body'`,
+          response,
+        );
       }
 
       this.announceConnection(response);