Leave domain empty in cookies, but account for clients with old cookies. #1102
Conversation
|
I've opened this with the changes from the earlier PR. Now we just need to figure out how to do it right. |
|
@mythsunwind writes:
So is it enough to just allow for the old cookie to be present, but ignore it? |
Here is an example of the I hope this helps you. |
fisx
changed the title
fisx
force-pushed
the
fisx/cookies-the-2nd
branch
from
0cd5079
to
106816c
Compare
|
106816c does this: I'm probably missing something obvious? |
fisx
force-pushed
the
fisx/cookies-the-2nd
branch
2 times, most recently
from
cf34bd0
to
5cf5d6c
Compare
fisx
force-pushed
the
fisx/cookies-the-2nd
branch
3 times, most recently
from
ca23b06
to
46a6f79
Compare
| let Just email = userEmail u | ||
| dologin :: HasCallStack => Http ResponseLBS | ||
| dologin = login n (defEmailLogin email) PersistentCookie <!! const 200 === statusCode | ||
| outdatedCookie <- decodeCookie <$> dologin |
There was a problem hiding this comment.
we need to make the outdated cookie look like a legacy cooikie! ie., different domain.
There was a problem hiding this comment.
We just need to send 2 cookies
| @@ -69,7 +69,6 @@ import Spar.Scim | |||
| import Spar.Scim.Swagger () | |||
| import Spar.Types | |||
| import qualified URI.ByteString as URI | |||
| import qualified Web.Cookie as Cky | |||
There was a problem hiding this comment.
also test that this behaves as expected!
| @@ -135,7 +135,6 @@ optSettings: | |||
| setNexmo: test/resources/nexmo-credentials.yaml | |||
| # setStomp: test/resources/stomp-credentials.yaml | |||
| setUserMaxConnections: 16 | |||
| setCookieDomain: 127.0.0.1 | |||
There was a problem hiding this comment.
move this to integration.yaml
fisx
force-pushed
the
fisx/cookies-the-2nd
branch
from
46a6f79
to
860b2dc
Compare
tiago-loureiro
changed the title
|
This is now ready for review. Could someone please run ormolu against it? |
tiago-loureiro
force-pushed
the
fisx/cookies-the-2nd
branch
from
9042b0d
to
f2aaa21
Compare
Nevermind, all good |
| @@ -411,9 +411,6 @@ data Settings = Settings | |||
| -- | Max. number of permanent clients per user | |||
| setUserMaxPermClients :: !(Maybe Int), | |||
| -- | The domain to restrict cookies to | |||
| setCookieDomain :: !Text, | |||
| -- | Whether to allow plain HTTP transmission | |||
| -- of cookies (for testing purposes only) | |||
There was a problem hiding this comment.
You removed the wrong comment
| @@ -1045,7 +1045,7 @@ setProviderCookie t r = do | |||
| Cookie.def | |||
| { Cookie.setCookieName = "zprovider", | |||
| Cookie.setCookieValue = toByteString' t, | |||
| Cookie.setCookieDomain = Just $ Text.encodeUtf8 . setCookieDomain $ s, | |||
| Cookie.setCookieDomain = Nothing, | |||
There was a problem hiding this comment.
can just leave this line; Cookie.def already contains Cookie.setCookieDomain = Nothing
| validateTokens [] _ = throwE ZAuth.Invalid | ||
| validateTokens (ut : []) at = validateToken ut at | ||
| validateTokens uts at = do | ||
| tokens <- forM uts $ \ut -> lift $ runExceptT (validateToken ut at) |
There was a problem hiding this comment.
| tokens <- forM uts $ \ut -> lift $ runExceptT (validateToken ut at) | |
| tokens <- forM uts $ \ut -> (validateToken ut at) |
lift . runExceptT is just id I think? No need to runExceptT and lift if validateToken and validateTokens are both already an ExceptT ?
There was a problem hiding this comment.
We discussed it f2f; the reason is that we don't want to fail right away so the logic is correct. Will try to tackle the previous point as a cleanup.
|
This is good to go from my end, all PR feedback was addressed now. |
Fixes https://github.com/zinfra/backend-issues/issues/953
#1076 breaks UX: clients attempting to get new tokens from
/accesswith cookies they got before this change will receive an error, and will have to login again.This PR does it right.
When multiple cookies are presented to the backend, all of them will be tested against the database. If any of them is valid, then we pick the "first" one and use that for auth purposes.