[PUI] Session authentication #6970
Conversation
- Remove API token functions - Simplify cookie approach - Add isLoggedIn method
- Existing (invalid) session token causes 403
- Point to the right host - Simplify code - Now we use session cookies, so it *Just Works*
- Now works with remote host
SchrodingersGat
added
api
✅ Deploy Preview for inventree-web-pui-preview canceled.
|
|
@matmair I was playing around with #6399 - trying to get it to work reliably. In the end (and after reading way too many docs on cookies / cross site stuff) I have discovered that we need some backend changes too. So, I have written this new implementation which replaces #6399 This has been tested with attachment upload / download and handles it all quite cleanly (as far as I have been able to test) Let me know what you think! |
|
@matmair can you give some insight into the playwright tests failing? |
There was a problem hiding this comment.
I never used session authentication with a SPA. I always used api tokens. How does this session cookie work when the backend is hosted somewhere else than the frontend? E.g. like the netlify previews with the demo server. Do there need to be something configured specifically?
Co-authored-by: Lukas <76838159+wolflu05@users.noreply.github.com>
The host needs to have the correct CORS and CSRF settings configured. I have tested that this works on the devcontainer setup (which is effectively a CORS request from The current netlify previews won't work because the demo server code needs updating (based on this PR). But once that is updated it will work fine |
|
So you need to explicitly configure the netlify domain in the demo server then? Or is there a wildcard allowed currently on the demo server? |
|
The demo server already allows cross origin requests from the netlify preview site |
|
To me, the frontend tests make it look like the username field are not available. @SchrodingersGat Have you checked that the tests run on your dev setup? |
|
@matmair I cannot run these tests locally, I believe that it is due to incompatibility with the alpine devcontainer. I get errors like: |
|
It seems to run on my dev setup, I will try to fix this CI on the weekend |
Thanks @matmair , much appreciated. |
|
Looks like it is working better this way - maybe increasing the timeouts might help a bit |
|
Still not wrapping my head around these tests :| |
|
@SchrodingersGat it seems like there are problems with login on tests that do not specifically cover logins. Maybe we can bypass logging in there similar to #7022 to solve this? Testing login once specifically should be enough. |
|
Woo! It works, finally :) Thanks for the help with the tests @matmair |
|
Seeing that coveralls coverage for PUI was disabled here - should we discuss #6986? |
This PR provides session based authentication for the react frontend. A number of backend changes are also required for this to work correctly. A lot of testing has been performed to ensure that it covers various login / logout edge cases.
Major Features
<img>tag (and works!)/api/auth/login/to prevent login failure with stalesessionidcookie