Broken on recent versions of discourse

[larrysalibra]

This plugin is broken in recent versions (true as of 2.5.6) of discourse.

The Stacks Foundation is looking for help with updating the plugin. (stacksgov/grants-program#29)

Related issues/info:

stacks-archive/blockstack.org#392
https://github.com/blockstack/blockstack.org/issues/1159
https://github.com/blockstack/omniauth-blockstack/blob/master/lib/omniauth/strategies/blockstack.rb#L39-L42

[larrysalibra]

I spent a couple hours taking a look at this today.

@wileyj writes:

Pretty sure the issue is here:
https://github.com/blockstack/omniauth-blockstack/blob/master/lib/omniauth/strategies/blockstack.rb#L39-L42

One issue is here. What's supposed to happen is when /auth/blockstack?manifest=true is fetched by the authenticator, the manifest json is returned. It appears discourse changed behavior such that it instead returns an HTML page with a button the user has to click on before the JSON is returned by the omniauth strategy. I imagine this has something to do with the discourse folks trying to address cross-site scripting, but it breaks our authentication flow.

One short-term way to work around this to put the discourse installation behind a proxy and intercept requests to /auth/blockstack?manifest=true and return the manifest json.

A longer term solution would be really digging into the internals of discourse to figure a better way to do this - there might not be away to do it in a supported fashion.

A second issue was reported by @tvr132b here: https://github.com/blockstack/blockstack.org/issues/1159#issue-687503148

This issue is with the content security policy added by discourse. You need to disable to included content security policy on discourse or add the unsafe-inline keyword (unclear how to do this in on discourse in a supported way).

[wileyj]

hmm, the proxy idea might be the path of least resistance here.

I think we can give it a shot, and see if it works

[larrysalibra]

Cool! Let me know how it works!