Skip to content

Bug: frontend API proxy strips /api/v1 prefix since 2.246.0 (http-proxy-middleware v3), breaking SAML login and all proxied API calls #7974

Description

@landonjs

How are you running Flagsmith

  • Self Hosted with Docker
  • Self Hosted with Kubernetes
  • SaaS at flagsmith.com
  • Some other way (add details in description below)

Describe the bug

Summary

Since v2.246.0, the frontend's built-in API proxy (FLAGSMITH_PROXY_API_URL) forwards requests to the API without the /api/v1 prefix. Every API call routed through the frontend proxy 404s/405s on the Django API. For deployments where the frontend proxy fronts the whole app, SAML SSO login is the first visible failure: the IdP's SAML response POST reaches Django as /auth/saml/<org>/response/ and is rejected with 405 Method Not Allowed, making SSO login impossible.

Environment

  • Flagsmith Enterprise (self-hosted), split API + frontend deployment
  • Deployed with the official Helm chart, frontend.apiProxy.enabled: true (which sets FLAGSMITH_PROXY_API_URL)
  • Working: API + frontend 2.241.0 — Broken: API + frontend 2.252.0 (regression introduced in 2.246.0)
  • Auth: SAML SSO (HTTP-POST binding to the ACS URL)

Root cause

PR #7830 (commit d0d81d7, shipped in v2.246.0) bumped http-proxy-middleware from 2.0.9 to 3.0.7 as a dependency-only change — no application code was adapted.

The proxy is mounted in frontend/api/dev-routes.js (unchanged between 2.241.0 and 2.252.0):

app.use(
  '/api/v1/',
  createProxyMiddleware({
    changeOrigin: true,
    target: process.env.FLAGSMITH_PROXY_API_URL,
    xfwd: true,
  }),
)

http-proxy-middleware v3 has a documented breaking change for exactly this pattern (MIGRATION_V3.md):

Removed req.url patching — "When proxy is mounted on a path, this path should be provided in the target."

In v2, the middleware forwarded the full original URL, so the API received /api/v1/.... In v3, Express strips the mount path from req.url and the middleware forwards the stripped path — the API now receives the request without /api/v1.

Observed behavior

With 2.252.0 deployed, the Django API logs (for what left the browser/IdP as /api/v1/... requests):

Invalid request made to /auth/saml/<org>/response/ with method POST
Method Not Allowed: /auth/saml/<org>/response/
Invalid request made to /auth/saml/login/ with method POST
Method Not Allowed: /auth/saml/login/

These errors began at the exact minute the 2.252.0 frontend went live and stopped immediately on rollback to 2.241.0 (zero occurrences in the preceding 7 days). SP-initiated SSO fails at the login click; IdP-initiated fails at the ACS POST.

Note this is not SAML-specific — all frontend-proxied API traffic loses its prefix — but on SSO-only deployments, login is the gate that makes it visible.

Steps To Reproduce

Steps to reproduce

  1. Deploy Flagsmith ≥2.246.0 with split frontend/API and FLAGSMITH_PROXY_API_URL set (e.g. Helm chart with frontend.apiProxy.enabled: true).
  2. Send any request through the frontend, e.g. POST https://<frontend>/api/v1/auth/saml/<org>/response/.
  3. Observe the API receives POST /auth/saml/<org>/response/ (prefix stripped) and returns 405. On ≤2.245.x the same request reaches the API as /api/v1/auth/saml/<org>/response/ and succeeds.

Expected behavior

Front end works

Screenshots

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions