Skip to content

Fix: Preserve /api/v1 prefix in frontend proxy (Fixes #7974)#8004

Open
srijantrpth wants to merge 3 commits into
Flagsmith:mainfrom
srijantrpth:fix/issue-7974-frontend-api-proxy-path
Open

Fix: Preserve /api/v1 prefix in frontend proxy (Fixes #7974)#8004
srijantrpth wants to merge 3 commits into
Flagsmith:mainfrom
srijantrpth:fix/issue-7974-frontend-api-proxy-path

Conversation

@srijantrpth

Copy link
Copy Markdown

Thanks for submitting a PR! Please check the boxes below:

  • I have read the Contributing Guide.
  • I have added information to docs/ if required so people know about the feature.
  • I have filled in the "Changes" section below.
  • I have filled in the "How did you test this code" section below.

Changes

Closes #7974

Fix frontend API proxy stripping /api/v1 prefix

This PR fixes a bug introduced in v2.246.0 where the frontend API proxy strips the mandatory /api/v1 prefix, causing 404/405 errors on SAML SSO logins and all other proxied API calls.

The issue was caused by an upgrade to http-proxy-middleware v3, which removed the automatic req.url patching when mounting a proxy to a specific path via Express.

To resolve this, the middleware configuration in frontend/api/dev-routes.js has been updated to align with the v3 migration guide:

  • Removed the explicit path mount from app.use('/api/v1/').
  • Utilized the pathFilter: '/api/v1/' property inside createProxyMiddleware to ensure the prefix is preserved and forwarded correctly to the backend.

How did you test this code?

I tested this manually by replicating the proxy environment and verifying the routed paths in the backend logs:

  1. Started the Django backend using make serve (listening on port 8000).
  2. Started the frontend dev server with the proxy enabled: FLAGSMITH_PROXY_API_URL=http://localhost:8000 npm run dev
  3. Sent a test POST request to the SAML login endpoint via the frontend proxy:
    curl -X POST http://localhost:8080/api/v1/auth/saml/login/
  4. Verified in the Django backend logs that the request correctly arrived at the full path [django.request] ... request=<WSGIRequest: POST '/api/v1/auth/saml/login/'> instead of the stripped /auth/saml/login/ path.

Copilot AI review requested due to automatic review settings July 14, 2026 14:38
@srijantrpth
srijantrpth requested a review from a team as a code owner July 14, 2026 14:38
@srijantrpth
srijantrpth requested review from talissoncosta and removed request for a team July 14, 2026 14:38
@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

@srijantrpth is attempting to deploy a commit to the Flagsmith Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bcb21c65-7ad5-4991-9c62-3a3e4b05d978

📥 Commits

Reviewing files that changed from the base of the PR and between ffadd58 and ec2d0dc.

📒 Files selected for processing (2)
  • frontend/api/dev-routes.js
  • frontend/api/index.js

📝 Walkthrough

Walkthrough

The optional API proxy in the development routes now passes the createProxyMiddleware instance directly to Express. The /api/v1 route constraint is configured using pathFilter, while the proxy target, changeOrigin, and xfwd settings remain unchanged.

Estimated code review effort: 1 (Trivial) | ~3 minutes


Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the front-end Issue related to the React Front End Dashboard label Jul 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix a regression where the frontend API proxy strips the required /api/v1 prefix after upgrading to http-proxy-middleware v3, which breaks proxied API calls (notably SAML SSO endpoints).

Changes:

  • Adjusts the dev-server Express proxy wiring to avoid mounting the proxy at '/api/v1/'.
  • Adds a pathFilter: '/api/v1/' filter to proxy only the intended API paths while preserving the prefix.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread frontend/api/dev-routes.js Outdated
Comment thread frontend/api/dev-routes.js Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 90f5680b-2088-4c03-b8b3-97c6411f09ac

📥 Commits

Reviewing files that changed from the base of the PR and between f464a0a and ffadd58.

📒 Files selected for processing (2)
  • frontend/api/dev-routes.js
  • frontend/api/index.js

Comment thread frontend/api/dev-routes.js Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

front-end Issue related to the React Front End Dashboard

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: frontend API proxy strips /api/v1 prefix since 2.246.0 (http-proxy-middleware v3), breaking SAML login and all proxied API calls

2 participants