Logout endpoint should use POST not GET #1830
Conversation
|
Code looks fine, and it tested well for me on IE11 I think the new logout button needs some formatting though: Old: |
Codecov Report
@@ Coverage Diff @@
## master #1830 +/- ##
==========================================
+ Coverage 49.38% 49.52% +0.14%
==========================================
Files 427 428 +1
Lines 18341 18466 +125
Branches 1636 1636
==========================================
+ Hits 9058 9146 +88
- Misses 8493 8518 +25
- Partials 790 802 +12 |
… button and then click through
…ar across the apps.
chrisgilmerproj
requested review from
Ronolibert,
pjdufour-truss,
rdhariwal and
stangah
|
I can't seem to get this working in Internet Explorer. The best I can get is that CSRF middleware is blocking me, but I can't figure why. The cookie is certainly getting sent along with |
src/shared/User/api.js
Outdated
| console.log('============'); | ||
| console.log(token); | ||
| console.log(document.cookie); | ||
| console.log('============'); |
There was a problem hiding this comment.
I need to remove this, but only after I figure out if the cookie is incorrect.
pkg/logging/log.go
Outdated
| @@ -85,6 +85,7 @@ func LogRequestMiddleware(gitBranch string, gitCommit string) func(inner http.Ha | |||
| zap.String("x-forwarded-for", r.Header.Get("x-forwarded-for")), | |||
| zap.String("x-forwarded-host", r.Header.Get("x-forwarded-host")), | |||
| zap.String("x-forwarded-proto", r.Header.Get("x-forwarded-proto")), | |||
| zap.String("x-csrf-token", r.Header.Get("x-csrf-token")), | |||
There was a problem hiding this comment.
Make sure to remove this before merging. It's for testing that the token is being sent properly from IE (which it is!).
… via an async operation while sending another request
I can debug go in goland if you want to look at the guts of the request. Happy to pair on it or stand in as 🦆 to bounce ideas |
pkg/handlers/responders.go
Outdated
| } | ||
| } | ||
|
|
||
| // WriteResponse updates the session cookie before writing out the details of the response | ||
| func (cur *CookieUpdateResponder) WriteResponse(rw http.ResponseWriter, p runtime.Producer) { | ||
| auth.WriteSessionCookie(rw, cur.session, cur.cookieSecret, cur.noSessionTimeout, cur.logger) | ||
| auth.WriteMaskedCSRFCookie(rw, csrf.Token(cur.request), cur.noSessionTimeout, cur.logger) |
There was a problem hiding this comment.
I think what this does is ensure even API requests get the cookie set. I'm not clear on if it's helping.
src/shared/User/api.js
Outdated
| }) | ||
| .catch(err => { | ||
| console.log(err); | ||
| }); |
There was a problem hiding this comment.
What should I do with error responses?
There was a problem hiding this comment.
Maybe send a signal that the browser is idle.
|
Latest change works in MSEdge! Thanks @donaldthai . Now to get the integration tests working. |
| {{.Email}} | ||
| ({{if .DpsUserID}}dps{{else if .TspUserID}}tsp{{else if .OfficeUserID}}office{{else}}milmove{{end}}) | ||
| <button name="id" value="{{.ID}}" data-hook="existing-user-login">Login</button> | ||
| <input type="hidden" name="id" value="{{.ID}}" /> | ||
| <button type="submit" value="{{.ID}}" data-hook="existing-user-login">Login</button> |
There was a problem hiding this comment.
This fixes how IE11 does login, which previously wasn't working. Thanks to @donaldthai for the fix!
Description
We should not use GET for logout. This changes the endpoints, uses forms, and changes the redirect from a 307 to a 303.
Reviewer Notes
In this PR I modify the middleware to only create one public CSRF Token in the middleware. The reason for this is that we only need it to change on session updates (like user login/logout) and for debugging you can't track multiple public tokens (even though they ought to all unmask as the same value). It's a little less logic to have to parse when looking into CSRF issues.
Similarly, I no longer call
csrf.Token(r)in all the places. Instead I rely on the middleware to properly set the cookie and then we only grab it from the cookie. This changes how the devlocal login page works but has no real effect, except again, to eliminate confusion about what tokens are being generated for debugging.Setup
Login and then logout!
Code Review Verification Steps
References
A number of past PRs that I looked at while prepping this PR: