Reasons for cookies not being included with fetch - firefox-addon-webextensions

I do a fetch with the credentials options set to true. My manifest permissions doesn't have cookies in it:
"permissions": ["storage", "webNavigation", "webRequest", "webRequestBlocking", "<all_urls>", "tabs", "notifications", "downloads"]
and my manifest is set for "spanning" on incognito:
"incognito": "spanning",
For most users, cookies are sent with the fetch, but a few users are reporting issues of not being logged in. When I sent them a debug version to send me html of the pages fetched (i fetch - https://addons.mozilla.org/en-US/developers/addon/api/key/ ) I am seeing the html of them logged out/on the login form.
Are there any reasons aside from not setting credentials that cookies can be missing from the fetch? Like should I add cookies to permissions?

Related

reactjs app with keycloack keeps redirecting

Following https://scalac.io/blog/user-authentication-keycloak-1/ I have made the app and realm. Then it was showing cors error even though I have put http://localhost:3000/ as weborigin and put "enable-cors": true, in json. So I have put + as web origin. Now after login, it keeps redirecting between URLs or as logged in state and not logged in state.
How can I solve it so that it redirects to one URL only, or keep it as logged in state.
After login from keycloack UI in localhost:8080 it keeps jumping between these two states or URLs:
keycloack client settings:
Edit:
Actually this happens if init options has any value such as check-sso or login-required.

use Session cookies with adonis & react

I'm having trouble understanding how session cookies work. I have an Adonisjs Api and a React app.
In my login / Register components, I fetch the data with post request and credentials set to true. Everything work fine and the adonis-session cookie is set in the browser.
But, after that, I want to be redirected to the homepage and fetch users' posts but I get 401 unauthorized response.
Can someone help me understand what I need to do? How can I check if the user is logged in with this adonis-session token? Use the context API?

Localhost and CORS with Auth0 not allowing me to login

I'm making a React app and trying to use Auth0 to authenticate. After trying to log in, it returns this:
XMLHttpRequest cannot load https://my-domain.auth0.com/usernamepassword/login. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:3000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I thought it would be related to this: CORS problems with Auth0 and React but I have both http://localhost:3000, http://localhost:3000/login in the 'Allowed Origins (CORS)' spot in Auth0's settings (and yes I'm using the correct client ID as well).
I tried putting http://localhost:3000/, http://localhost:3000/login in the 'Allowed Callback URL's (don't know exactly what that does) but that didn't work either.
When I use the social connection (Google) it allowed me to login after putting http://localhost:3000/login in the Allowed Callback URL's.
But it still won't work for just a new user logging in.
Any help?
If it makes a difference:
Auth0 Logs show for the social login but there are no logs at all for when I connect otherwise
I think related to this is that I also get this every time I load the page:
There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "http://localhost:3000" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ...(link to my dash)
I get a 404 from the gravatar website
Also I get these errors (may not be related):
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "user-agent"
Something was wrong with the client in Auth0. I don't know what it was but I built an Angular4 app and connected to the same client in Auth0 and got the same errors. I then tried deleting the client in Auth0 and making a new one and now it works. I have no idea what was causing the error, but creating a new client and connecting to that one fixed the issue.

Login from other Domain using MeanJS API

In MeanJS, after a user loggedin and we refresh the page, in core.server.controller.js will send a user credentials to the index.html
exports.renderIndex = function (req, res) {
res.render('modules/core/server/views/index', {
user: req.user || null
});
};
Ques 1: Why the server knows who is the loggedin user? even we have closed the browser and reopen it.
Ques 2
Lets't call the domain of above app is localhost:8000.
I have a separate website with just front-end code (angular) no backend.
Let's call it localhost:3000. I can call the API from localhost:8000 and display the data.
I can also login by calling localhost:8000/api/auth/signin API, but after I refresh it, it does not recognize me as signedin user because I have no server serve me the index.html like localhost:3000.
Any trick to make localhost:8000 login works?
Regarding Question 1, that happens because of the way express-session is configured. If you close the browser the cookie session will persist, unless you change the options defined in config/env/default.js, namely:
// Session Cookie settings
sessionCookie: {
// session expiration is set by default to 24 hours
maxAge: 24 * (60 * 60 * 1000),
// httpOnly flag makes sure the cookie is only accessed
// through the HTTP protocol and not JS/browser
httpOnly: true,
// secure cookie should be turned to true to provide additional
// layer of security so that the cookie is set only when working
// in HTTPS mode.
secure: false
},
According to express-session docs you can use expire and maxAge to control that behaviour. If both maxAge and expire are unset most clients will consider this a "non-persistent cookie" and will delete it on a condition like exiting a web browser application. In MEAN.js maxAge is set and that's why the user keeps logged in even if the browser is closed. However after 24 hours the user will need to login again.
Regarding Question 2, I never tried anything like that but I think the answer may be in the domain, path and sameSite properties of express-session docs. Take a look and see if something works out according to your needs.

GWT and AppEngine User Service

I am using GAE User Service to Authrnicate my GWT Application.
Depending on whether the User is logged in the User is presented with LoginPage/Dashboard.
The GWT Application calls a Auth Servlet (Window.Location.assign("/googleauth"); causing application to unload which then transfers control to Google Authentication Page, after authentication we are redirected to CallBack servlet.
I can check whether user is loggedin successfully in Callback Servlet. However if I simply redirect back to my application the session login is lost.
The Application loads from scratch.
If I set up a cookie-->
HttpSession session =
request.getSession();
String sessionid = session.getId(); //Get sessionID from
server's response to your login
request
Cookie cookie=new Cookie("sid",sessionid);
response.addCookie(cookie);
response.sendRedirect(AppURL.getApplicationBaseURL());
In my client code check -->
String sessionID =
Cookies.getCookie("sid");
if(sessionID!=null) { //show
dashboard }
Is the way I am using secure? How long are the cookies valid for?
You said:
I simply redirect back to my application the session login is lost.
This should not happen. Once you login the session should be there until you logout or session timeouts (you can set this in GAE settings).
You can simply make a GWT-RPC call to server and check if user is logged in: UserServiceFactory.getUserService().isUserLoggedIn().
Note: if you are looking for session cookies, AppEngine uses different cookie names in production and development servers. It uses ACSID cookie in production and dev_appserver_login.

Resources