New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logout endpoint should use POST not GET #1830
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1830 +/- ##
==========================================
+ Coverage 49.38% 49.52% +0.14%
==========================================
Files 427 428 +1
Lines 18341 18466 +125
Branches 1636 1636
==========================================
+ Hits 9058 9146 +88
- Misses 8493 8518 +25
- Partials 790 802 +12 |
… button and then click through
…ar across the apps.
I can't seem to get this working in Internet Explorer. The best I can get is that CSRF middleware is blocking me, but I can't figure why. The cookie is certainly getting sent along with |
src/shared/User/api.js
Outdated
console.log('============'); | ||
console.log(token); | ||
console.log(document.cookie); | ||
console.log('============'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to remove this, but only after I figure out if the cookie is incorrect.
pkg/logging/log.go
Outdated
@@ -85,6 +85,7 @@ func LogRequestMiddleware(gitBranch string, gitCommit string) func(inner http.Ha | |||
zap.String("x-forwarded-for", r.Header.Get("x-forwarded-for")), | |||
zap.String("x-forwarded-host", r.Header.Get("x-forwarded-host")), | |||
zap.String("x-forwarded-proto", r.Header.Get("x-forwarded-proto")), | |||
zap.String("x-csrf-token", r.Header.Get("x-csrf-token")), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sure to remove this before merging. It's for testing that the token is being sent properly from IE (which it is!).
… via an async operation while sending another request
I can debug go in goland if you want to look at the guts of the request. Happy to pair on it or stand in as 🦆 to bounce ideas |
pkg/handlers/responders.go
Outdated
} | ||
} | ||
|
||
// WriteResponse updates the session cookie before writing out the details of the response | ||
func (cur *CookieUpdateResponder) WriteResponse(rw http.ResponseWriter, p runtime.Producer) { | ||
auth.WriteSessionCookie(rw, cur.session, cur.cookieSecret, cur.noSessionTimeout, cur.logger) | ||
auth.WriteMaskedCSRFCookie(rw, csrf.Token(cur.request), cur.noSessionTimeout, cur.logger) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what this does is ensure even API requests get the cookie set. I'm not clear on if it's helping.
src/shared/User/api.js
Outdated
}) | ||
.catch(err => { | ||
console.log(err); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What should I do with error responses?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe send a signal that the browser is idle.
Latest change works in MSEdge! Thanks @donaldthai . Now to get the integration tests working. |
{{.Email}} | ||
({{if .DpsUserID}}dps{{else if .TspUserID}}tsp{{else if .OfficeUserID}}office{{else}}milmove{{end}}) | ||
<button name="id" value="{{.ID}}" data-hook="existing-user-login">Login</button> | ||
<input type="hidden" name="id" value="{{.ID}}" /> | ||
<button type="submit" value="{{.ID}}" data-hook="existing-user-login">Login</button> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fixes how IE11 does login, which previously wasn't working. Thanks to @donaldthai for the fix!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
We should not use GET for logout. This changes the endpoints, uses forms, and changes the redirect from a 307 to a 303.
Reviewer Notes
In this PR I modify the middleware to only create one public CSRF Token in the middleware. The reason for this is that we only need it to change on session updates (like user login/logout) and for debugging you can't track multiple public tokens (even though they ought to all unmask as the same value). It's a little less logic to have to parse when looking into CSRF issues.
Similarly, I no longer call
csrf.Token(r)
in all the places. Instead I rely on the middleware to properly set the cookie and then we only grab it from the cookie. This changes how the devlocal login page works but has no real effect, except again, to eliminate confusion about what tokens are being generated for debugging.Setup
Login and then logout!
Code Review Verification Steps
References
A number of past PRs that I looked at while prepping this PR: