@ory/client-fetch: toSession() overwrites Cookie header when using initOverrides.headers #445
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
When using @ory/client-fetch, the toSession() method allows passing a cookie parameter as part of requestParameters, which correctly sets the Cookie header — unless initOverrides.headers is also provided. In that case, the SDK silently overwrites the Cookie header with the contents of initOverrides.headers, leading to unexpected 401 Unauthorized response.
Reproducing the bug
const session = await api.toSession(
{ cookie },
{
headers: {
'Cache-Control': 'max-age=0'
}
}
);Expected behavior:
The request sends both Cookie and Cache-Control headers
Actual behavior:
Only Cache-Control is sent. Cookie is silently overwritten. Request fails with 401 Unauthorized.
Workaround
Manually add the cookie into headers:
const session = await api.toSession(
{ cookie },
{
headers: {
'Cache-Control': 'max-age=0',
'Cookie': cookie
}
}
);Relevant log output
Relevant configuration
Version
"@ory/client-fetch": "1.22.4"
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response