New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set x_mtok Cookie on Cordova #676
Conversation
@s-ol I can say you for sure that hardcoded port number won't work. Meteor is using a random port number in the range 12000-13000 for the app based on appId as written in docs. So far I experienced additional CORS issues because of missing header I'd try to implement a hook based solution similar to Unfortunately I don't have that much time right now to submit a proper PR or improvements. |
@vbelolapotkov: good point, i read about that after submitting this too - the port is fixed per app-id though, so it can be fixed e.g. in I have not included all headers in the PR since we set some by nginx, but you are right, there may be some more required. Especially regarding byte ranges. The |
AFAIK the port is randomized and will be different on each application (or at least has a minimized collision chance). |
@vbelolapotkov the port issue is resolved now, I am thinking about moving the remaining headers into responseHeaders as you said. Had a chance to look at this, @dr-dimitru? |
Added |
@vbelolapotkov your remarks from above are all solved as far as I can tell. Have you tested this current state again? @dr-dimitru we have been testing this solution and have now been using this branch in production over at @risetechnologies for some time. As far as we are concerned, it finally solves the Cookie Problem with no added user effort or tech complexity in many cases, and low effort in the few necessary cases (fetching files via XHR). |
@s-ol thank you for the update. This week is super busy for me. Scheduled testing for the next week. Will update you once done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some notes with minor change request, ready to merge asap
I have a question for all developers in this thread (@s-ol, @vbelolapotkov, and @menelike, @jankapunkt) — Shall we apply changes only to Let me explain: We can achieve the same results using |
That will help to keep package extendable/hackable and lightweight, with good documentation |
@s-ol is actually helping me/us (@risetechnologies) to implement this, so I will agree upon his recommendations. All I can say about this at this point is that this finally solves the Cordova authentication issues we had to fight with (including a lot of drawbacks) for the last two years. Especially scaling meteor is cumbersome without the changes of this PR. |
@dr-dimitru I've tried to use |
@vbelolapotkov thank you for valuable feedback
You're right!
Sounds like something we can apply quickly |
@dr-dimitru my main concern has always been first to make it possible in general. My main reasoning for pushing this into the Meteor-Files source in general is the following: In my opinion, if I install Meteor-Files and it doesn't just work on Cordova, then Meteor-Files is buggy. |
In many cases I strongly agree with minimising bloat / splitting out features into extension packages, user code etc. In this case I think that might be wrong, because this is not really a "user feature" although it can be added as one. I see this more as a core part of what Meteor-Files is trying to do - make uploading files work in all of Meteor. Lastly (and sorry for the long lamentation) as we know from the long history of this PR and the previous issues, this is a very difficult topic to understand! It took me two attempts of at least two weeks each time, spread apart by a year to figure out what exactly the parameters of the problem are. Most users will be unwilling or unable to do this amount of research by themselves. Do you want to trust users to take your solution into their code, where they have to maintain it themselves, without fully knowing the problem? |
Folks let us please set up a common ground as a base for further discussions: PreconditionThe Meteor Cordova implementation is completely incompatible with cookies, either you change the implementation of https://github.com/meteor/cordova-plugin-meteor-webapp or you work around this. Status quoHaving no cookies means:
Both cases have workarounds, none of them make fun. The result of this PRWe are using https://github.com/risetechnologies/Meteor-Files/tree/cordova-send1.1.0 in conjunction with https://github.com/risetechnologies/Meteor-Cookies/tree/cordova-send2.4.0 We can use http uploads and don't need to think about xmtok in general. The only downside is that we need to set withCredentials whenever we use to make calls like:
window.fetch(url, {
method: 'GET',
credentials: 'same-origin',
})
Please note that we had to do this anyway to support the sticky sessions coming from our load balancer, so those examples are not directly related to More importantly, we don't need to do any of this if you just want to, for example, load an Background storyInitially, when we set up our load balancers we observed that cookies set by the server (sticky sessions) were actually used by further requests from the Cordova application, our plan was to make use of that. The way it works is that the client ( Last wordsThe implementation details can, of course, be discussed, but if the design behind this isn't acceptable it is nonsense to discuss this PR any further. We just wanted to share this with you folks, if you aren't interested that's absolutely fine, but we should stop wasting time on both ends. *On a sidenote: veliovgroup/meteor-cookies@d2717c4 |
__New:__ - `allowedOrigins` option - {*Regex*|*Boolean*} - Regex of Origins that are allowed CORS access or `false` to disable completely. Default: `/^http:\/\/localhost:12\d\d\d$/`. Defaults to `localhost:12000`-`localhost:13000` for allowing Meteor-Cordova builds access. Thanks to @risetechnologies for sending a PR #676 - `interceptRequest` hook - {*Function*} - this option is much higher than `interceptDownolad` in the router callback-chain, right after path match condition. Hook called with single argument — `{http: {request: {...}, response: {...}}, params: {...}}` object with minimally parsed URI params __Other:__ - 👷♂️ Merge #676, solving authentication on *Cordova*, - thanks to @risetechnologies - 👨💻️ Fix ending/closing reading stream of a file, and potential memory leaks. Thanks to @bbenoist for proposing this in #711 - 👨💻 Reorder callbacks in `.abort()` method of *FileUpload* instance on the *Client*. Fixing #706, thanks to @mariusrak and @jankapunkt - 📦 Upgrade NPM and Atmosphere dependencies - 📦 [NPM] `file-type` update to `12.3.0`, *was `12.0.0`* - 📦 [Atmosphere] `ostrio:cookies` update to `2.4.1`, *was `2.3.0`*
@dr-dimitru Glad that this got merged! Fantastic. Please don't forget that this only works in conjunction with https://github.com/risetechnologies/Meteor-Cookies/tree/cordova-send2.4.0 Do you want me to create a pull request for the second part? UpdateOpened a new PR at veliovgroup/meteor-cookies#14 |
This PR supersedes #659. It is more lightweight and cleans up all the comments from that PR.
For fixing the cookie transport problem, it uses the
ostrio:cookies
send()
method.This method, or rather all of
ostrio:cookies
, was broken for Cordova previously.A fix for all of this has been provided in veliovgroup/meteor-cookies#11 and is a precondition for this PR.
Changes in this PR:
cookie.send()
on CordovaAccess-Control-Allow-Credentials: true
andAccess-Control-Allow-Origin
forhttp://localhost:12000-13000
on/cdn/...
routesOPTIONS
HTTP requests correctly to enable CORS uploads