How are you running Flagsmith
Describe the bug
Summary
Since v2.246.0, the frontend's built-in API proxy (FLAGSMITH_PROXY_API_URL) forwards requests to the API without the /api/v1 prefix. Every API call routed through the frontend proxy 404s/405s on the Django API. For deployments where the frontend proxy fronts the whole app, SAML SSO login is the first visible failure: the IdP's SAML response POST reaches Django as /auth/saml/<org>/response/ and is rejected with 405 Method Not Allowed, making SSO login impossible.
Environment
- Flagsmith Enterprise (self-hosted), split API + frontend deployment
- Deployed with the official Helm chart,
frontend.apiProxy.enabled: true (which sets FLAGSMITH_PROXY_API_URL)
- Working: API + frontend 2.241.0 — Broken: API + frontend 2.252.0 (regression introduced in 2.246.0)
- Auth: SAML SSO (HTTP-POST binding to the ACS URL)
Root cause
PR #7830 (commit d0d81d7, shipped in v2.246.0) bumped http-proxy-middleware from 2.0.9 to 3.0.7 as a dependency-only change — no application code was adapted.
The proxy is mounted in frontend/api/dev-routes.js (unchanged between 2.241.0 and 2.252.0):
app.use(
'/api/v1/',
createProxyMiddleware({
changeOrigin: true,
target: process.env.FLAGSMITH_PROXY_API_URL,
xfwd: true,
}),
)
http-proxy-middleware v3 has a documented breaking change for exactly this pattern (MIGRATION_V3.md):
Removed req.url patching — "When proxy is mounted on a path, this path should be provided in the target."
In v2, the middleware forwarded the full original URL, so the API received /api/v1/.... In v3, Express strips the mount path from req.url and the middleware forwards the stripped path — the API now receives the request without /api/v1.
Observed behavior
With 2.252.0 deployed, the Django API logs (for what left the browser/IdP as /api/v1/... requests):
Invalid request made to /auth/saml/<org>/response/ with method POST
Method Not Allowed: /auth/saml/<org>/response/
Invalid request made to /auth/saml/login/ with method POST
Method Not Allowed: /auth/saml/login/
These errors began at the exact minute the 2.252.0 frontend went live and stopped immediately on rollback to 2.241.0 (zero occurrences in the preceding 7 days). SP-initiated SSO fails at the login click; IdP-initiated fails at the ACS POST.
Note this is not SAML-specific — all frontend-proxied API traffic loses its prefix — but on SSO-only deployments, login is the gate that makes it visible.
Steps To Reproduce
Steps to reproduce
- Deploy Flagsmith ≥2.246.0 with split frontend/API and
FLAGSMITH_PROXY_API_URL set (e.g. Helm chart with frontend.apiProxy.enabled: true).
- Send any request through the frontend, e.g.
POST https://<frontend>/api/v1/auth/saml/<org>/response/.
- Observe the API receives
POST /auth/saml/<org>/response/ (prefix stripped) and returns 405. On ≤2.245.x the same request reaches the API as /api/v1/auth/saml/<org>/response/ and succeeds.
Expected behavior
Front end works
Screenshots
No response
How are you running Flagsmith
Describe the bug
Summary
Since v2.246.0, the frontend's built-in API proxy (
FLAGSMITH_PROXY_API_URL) forwards requests to the API without the/api/v1prefix. Every API call routed through the frontend proxy 404s/405s on the Django API. For deployments where the frontend proxy fronts the whole app, SAML SSO login is the first visible failure: the IdP's SAML response POST reaches Django as/auth/saml/<org>/response/and is rejected with405 Method Not Allowed, making SSO login impossible.Environment
frontend.apiProxy.enabled: true(which setsFLAGSMITH_PROXY_API_URL)Root cause
PR #7830 (commit
d0d81d7, shipped in v2.246.0) bumpedhttp-proxy-middlewarefrom 2.0.9 to 3.0.7 as a dependency-only change — no application code was adapted.The proxy is mounted in
frontend/api/dev-routes.js(unchanged between 2.241.0 and 2.252.0):http-proxy-middlewarev3 has a documented breaking change for exactly this pattern (MIGRATION_V3.md):In v2, the middleware forwarded the full original URL, so the API received
/api/v1/.... In v3, Express strips the mount path fromreq.urland the middleware forwards the stripped path — the API now receives the request without/api/v1.Observed behavior
With 2.252.0 deployed, the Django API logs (for what left the browser/IdP as
/api/v1/...requests):These errors began at the exact minute the 2.252.0 frontend went live and stopped immediately on rollback to 2.241.0 (zero occurrences in the preceding 7 days). SP-initiated SSO fails at the login click; IdP-initiated fails at the ACS POST.
Note this is not SAML-specific — all frontend-proxied API traffic loses its prefix — but on SSO-only deployments, login is the gate that makes it visible.
Steps To Reproduce
Steps to reproduce
FLAGSMITH_PROXY_API_URLset (e.g. Helm chart withfrontend.apiProxy.enabled: true).POST https://<frontend>/api/v1/auth/saml/<org>/response/.POST /auth/saml/<org>/response/(prefix stripped) and returns 405. On ≤2.245.x the same request reaches the API as/api/v1/auth/saml/<org>/response/and succeeds.Expected behavior
Front end works
Screenshots
No response