New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect on login and cookie handling #381
Conversation
Still a WIP and wondering how we might have a list of approved redirects. |
9c9d5f8
to
4427153
Compare
Significant testing to get this working on browsers. I'm still not 100% sure I'm implementing this correctly. @pierrotsmnrd I could use some help to test this on your end.
This has been a fun journey getting cors + cookies + redirect to work together in username/password and oauth2 authentication. Check that from the fetch("https://conda-store.localhost/conda-store/api/v1/permission/", {credentials: "include"}).then((r) => r.json()).then((d) => console.log(d.data.authenticated))
// should show false if haven't logged in
window.location = "https://conda-store.localhost/conda-store/login?next=https://google.com";
// should pass you through the login flow
fetch("https://conda-store.localhost/conda-store/api/v1/permission/", {credentials: "include"}).then((r) => r.json()).then((d) => console.log(d.data.authenticated))
// should now show true Try the same with fetch("http://localhost:5000/api/v1/permission/", {credentials: "include"}).then((r) => r.json()).then((d) => console.log(d.data.authenticated))
// should show false if haven't logged in
window.location = "http://localhost:5000/login?next=https://google.com";
// should pass you through the login flow
fetch("http://localhost:5000/api/v1/permission/", {credentials: "include"}).then((r) => r.json()).then((d) => console.log(d.data.authenticated))
// should now show true I've been able to verify that this works for firefox and chrome. A future PR will be to validate that the |
1bde560
to
5593e6f
Compare
Well this is a bug in cypress: The dilema is that I need to set Also the All this is to say cypress doesn't look like it is going to handle this. But this PR should be treated as passing. |
9abe406
to
82888b4
Compare
a0fe8a4
to
fd38c7c
Compare
Here are the results of my tests : With
with the standalone stack :
On Firefox, with the standalone app, here is the full request of the second fetch :
Response header : date: Wed, 24 Aug 2022 07:50:48 GMT
server: uvicorn
content-length: 224
content-type: application/json
access-control-allow-credentials: true
access-control-allow-origin: https://www.google.com
vary: Origin I hope this confusing mess helps ... |
Thanks for testing all this @pierrotsmnrd! So at best this is not a great solution... since we get unpredictable results. In fact other services like jupyterhub refuse to have crossorigin cookies. jupyterhub/jupyterhub#1087. Basically saying that for anything cross origin tokens are the way to go. We'll need to think on this and how this might be done. |
fd38c7c
to
b45b8b6
Compare
Dropping the cookie functionally and only supporting samesite=strict. This is really the only secure option and the only way to ensure compatibility on all browsers. @pierrotsmnrd as long as the sites have the same hostname (port does not matter) testing should work. |
No description provided.