[SPO] HTTP-Only/Secure Cookies

[Meshz]

Hello,

First of all, thank you for this awesome & helpful package.

I got an issue trying to download a file from SharePoint Online. I log into SPO through the "Fetch API" of RN. In the reponse headers of the login method I get 2 cookies that are HTTP-Only & Secure named "rtFa" & "FedAuth". These cookies are automatically set and sent back with every further request.

When I use the Fetch API, I'm able to get data from SPO. However, when I use RNFetchBlob I get "Access denied.". I guess the problem is that the cookies (rtFa & FedAuth) are not passed to the fetch function your plugin and I can't set them as they are HTTP-Only/Secure.

Any ideas how to resolve this issue? Any help would be greatly appreciated!

[wkh237]

Thanks for reporting this issue. Does it happens on both Android and iOS?

[Meshz]

I only tried on Android for now tbh.

Do you want me to setup it on iOS and check if it fails too?

[wkh237]

@Meshz , after some investigation I think this may due to the lack of cookie storage mechanism on Android native implementation. I'll add it and publish a beta release.

[Meshz]

@wkh237 Thanks for your feedback. If u want me to do any tests, I'll be glad to help. :)

[wkh237]

@Meshz , I've added the cookie storage to Android, please try upgrade the package to 0.10.0-beta.2 and see if it works. Thank you 😄

[Meshz]

@wkh237 I'll test as soon as I can, problably coming back to you on Monday. Thanks!

[Meshz]

@wkh237 I tried both 0.10.0-beta.2 and 0.10.0-beta.3 and it's not working on my HTC One X+ - 4.4.4 (KitKat API Level 19). Do you need any additional info / output?

[wkh237]

@Meshz , I'm now familiar with SharePoint so I'm not be able to gather enough information for this issue, is there any way I can test it ? I think it'd be helpful, thank you 😄

[Meshz]

@wkh237 I just sent you all the necessary files on your e-mail (x...n@gmail.com). Please let me know if u need any other info!

[wkh237]

@Meshz , thanks for the assistance, that really helps 👍

After some investigations I've spotted that you're using official Fetch for authorization but try to make a request with RNFB.fetch. The problem is, RNFB's network APIs uses its own cookie and cache storage as such cookies are not sent to SharePoint. I suppose you should replace all the methods with RNFB.fetch (you can simply rewrite them or try to use Fetch Replacement).

However, after solving the cookie's issue, I still go error message

The file /test/Shared Documents/Excel_Test.xslx does not exist.

Not sure if this is caused by our library ?

Besides, always keep in mind when using RNFB.fetch you should escape special characters in URL by yourself, our library would not doing this for you.

For example, if the request URL contains OData parameters it usually contains characters needs to be escaped

http://example.com/users/?$filter=name eq wkh237

therefore, you should use encodeURIComponent to the URL so that it becomes

http://example.com/users?$filter=name%20eq%20wkh237

[Meshz]

@wkh237 Thank you for your investigation. I tried before opening this issue to replace all fetch functions with RNFB.fetch as I thought this was the problem but it wasn't working neither.

I did it back and now it's perfectly working on Android! I guess the cookies support u added did the job. Is there any downsides using RNFB.fetch everywhere instead of official Fetch API? BTW, the error message u received was a mistype I made: .xslx should be replaced by .xlsx. 😅

I won't be able to give you a fast feedback for iOS as I'm focusing on Android for now, but as soon as I can try, I'll come back to you. Thanks again for this plugin and your support! 👍

[wkh237]

Great to hear that 👍 I suppose IOS will also work as expected because I got the same error message (file doest not exists) on IOS.

[Meshz]

@wkh237 Then I guess I can close this issue as it seems to be working on both platform. Thanks!

[Meshz]

@wkh237 Hello, I would like to reopen this issue as I feel there is still a problem with the cookies handling. I may be wrong but I'll expose the case.

I need to auth with a service through multiple calls which set cookies and then send them back. I believe your implementation rewrites the cookieStore and thus they are not all sent back. I will expose the flow of the auth with Fiddler analysis (from browser), then the log of the device in the console.

Fiddler

--- REQUEST #1 ---
POST myhost/... HTTP/1.1
No cookies, just credentials
--- RESPONSE #1 ---
HTTP/1.1 302 Found
Set-Cookie: FedAuth=77...Pg==; expires=Tue, 17-Jan-2017 12:08:51 GMT; path=/; HttpOnly

--- REQUEST #2 (Due to redirect above) ---
GET myhost/... HTTP/1.1
Cookie: FedAuth=77...Pg==
--- RESPONSE #2 ---
HTTP/1.1 200 OK
Set-Cookie: ASP.NET_SessionId=fm...b3; path=/; HttpOnly
Set-Cookie: SearchSession=c0...38; path=/

--- REQUEST #3 ---
POST myhost/... HTTP/1.1
Cookie: SearchSession=c0...38; FedAuth=77...Pg==; ASP.NET_SessionId=fm...b3
--- RESPONSE #3 ---
HTTP/1.1 200 OK

Console of device

01-12 13:43:32.843 19945 21053 I System.out: --- SAVE FROM RESPONSE #1 ---
01-12 13:43:32.844 19945 21053 I System.out: http://myhost/...
01-12 13:43:32.846 19945 21053 I System.out: [FedAuth=77...Pg==; expires=Tue, 17 Jan 2017 12:43:33 GMT; path=/; httponly]

01-12 13:43:32.912 19945 21053 I System.out: --- LOAD FOR REQUEST #2 ---
01-12 13:43:32.912 19945 21053 I System.out: http://myhost/...
01-12 13:43:32.913 19945 21053 I System.out: [FedAuth=77...Pg==; expires=Tue, 17 Jan 2017 12:43:33 GMT; path=/; httponly]

01-12 13:43:33.659 19945 21053 I System.out: --- SAVE FROM RESPONSE #2 ---
01-12 13:43:33.660 19945 21053 I System.out: http://myhost/...
01-12 13:43:33.663 19945 21053 I System.out: [SearchSession=7b...bf; path=/]

01-12 13:43:33.748 19945 21056 I System.out: --- LOAD FOR REQUEST #3 ---
01-12 13:43:33.748 19945 21056 I System.out: http://myhost/...
01-12 13:43:33.748 19945 21056 I System.out: [SearchSession=7b...bf; path=/]

As we can see, the browser concatenate the cookies received for the same host along requests while RNFetchBlob replaces them and use only the last "Set-Cookie" header when multiple are received in response (or loop through all and replaces them, so we only see the last one).

Am I missing something or am I right? If you need any further explanations I'll be glad to help.

Thank you for your time and response.

[Meshz]

@wkh237 Hello, maybe this issue could be solved by adding the possibility to set clientBuilder.followRedirects(false); to RNFB.fetch() method as explained in #230.

If the redirect to Request2 is not followed, then the Set-Cookie of Response2 will not overwrite the Set-Cookie of Response1 but I'm not sure if that will work. 🙄

[Meshz]

Closing this issue as it is solved (at least my case) by adding the option followRedirects as explained in #230.